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The  Reliability  Analysis  Cotter  (RAC)  is  a  Department  of  Defense  Information  Analysis 
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1.0  INTRODUCTION 

The  Failure  Mode,  Effects  and  Criticality  Analysis  (FMECA)  is  a  reliability 
evaluation/design  technique  which  examines  the  potential  failure  modes  within  a 
system  and  its  equipment,  in  order  to  determine  the  effects  on  equipment  and 
system  performance.  Each  potential  failure  mode  is  classified  according  to  its  impact 
on  mission  success  and  personnel /equipment  safety.  The  FMECA  is  composed  of 
two  separate  analyses,  the  Failure  Mode  and  Effects  Analysis  (FMEA)  and  the 
Criticality  Analysis  (CA).  The  FMECA: 

•  Determines  the  effects  of  each  failure  mode  on  system  performance 

•  Provides  data  for  developing  fault  tree  analysis  and  reliability  block  diagram 
models 

•  Provides  a  basis  for  identifying  root  failure  causes  and  developing  corrective 
actions 

•  Facilitates  investigation  of  design  alternatives  to  consider  high  reliability  at 
the  conceptual  stages  of  the  design 

•  Aids  in  developing  test  methods  and  troubleshooting  techniques 

•  Provides  a  foundation  for  qualitative  reliability,  maintainability,  safety  and 
logistics  analyses 

The  results  of  the  FMECA: 

•  Highlight  single  point  failures  requiring  corrective  action 

•  Rank  each  failure  according  to  the  severity  classification  of  the  failure  effect 
on  mission  success  and  personnel /equipment  safety 

•  Provide  estimates  of  system  critical  failure  rates 

•  Provide  a  quantitative  ranking  of  system  and/or  subsystem  failure  modes 

•  Identify  reliability/  safety  critical  components 


: 
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1.1  FMECA  Benefits 

The  FMECA  facilitates  identification  of  potential  design  reliability  problem  areas 
which  must  be  eliminated  or  their  effect  minimized,  by  design  modification  or 
tradeoffs.  Specific  defects  identified  can  include: 

•  Circuit  failures  that  may  cause  the  failure  of  a  related  critical  circuit 

•  Areas  where  fail  safe  or  fail  soft  features  are  required 

•  Primary  failures  which  may  cause  costly  secondary  failures 

Information  and  knowledge  gained  by  performing  the  FMECA  can  also  be  used 
as  a  basis  for  trouble  shooting  activities,  maintenance  manual  development  and 
design  of  effective  built-in  test  techniques. 

The  FMECA  provides  valuable  information  for  maintainability,  safety  and 
logistic  analysis. 

1.2  FMECA  Characteristics 


The  FMECA  should  be  scheduled  and  completed  concurrently  as  an  integral  part 
of  the  design  process.  This  analysis  should  begin  early  in  the  conceptual  phase  of  a 
design,  when  the  design  criteria,  mission  requirements  and  performance  parameters 
are  being  developed.  To  be  effective,  the  final  design  should  reflect  and  incorporate 
the  analysis  results  and  recommendations.  The  following  diagram  depicts  how  the 
FMECA  process  should  coincide  with  a  typical  acquisition  program. 


Design 

Process 


ACQUISITION  PROGRAM 


Conceptual 

Engineering  Development 

Production/ 

validation 

Engineering  j  Prototype 

Deployment 

FMECA 


^  Functional  ^  Updates  ^  Hardware  Updates 


Design  Reviews 


A  A 


PDR  -  Preliminary  Design  Review 
CDR  -  Critical  Design  Review 
PRDR  -  Preproduction  Design  Review 
FACT  -  First  Article  Configuration  Inspection 
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The  results  of  both  the  functional  and  hardware  FMECA's  must  be  presented  at  each 
of  the  design  reviews.  The  design  reviews  then  serve  as  a  forum  to  modify,  correct, 
or  update  the  system  design. 

Since  the  FMLCA  is  used  to  support  maintainability,  safety  and  logistics  analyses, 
it  is  important  to  coordinate  the  analysis  to  prevent  duplication  of  effort  within  the 
same  program.  FMECA  is  an  iterative  process.  As  the  design  becomes  mature,  the 
IMECA  must  reflect  the  additional  detail.  When  changes  are  made  to  the  design, 
FMECA  must  be  performed  on  the  redesigned  sections.  This  ensures  that  the 
potential  failure  modes  of  the  revised  hardware  will  be  addressed.  If  the  FMECA  is 
performed  correctly,  it  becomes  an  important  tool  for  making  program  decisions 
regarding  trade-offs  affecting  design  integrity. 

The  FMECA  can  be  performed  by  a  cognizant  design  engineer,  reliability 
engineer,  independent  evaluator,  or  combination  of  the  above,  having  a  thorough 
understanding  of  the  operation  and  application  of  the  system  being  analyzed.  The 
analysts  then  feed  back  appropriate  data  gained  from  the  FMECA  into  the  design 
process  to  drive  effective  and  timely  corrective  action  implementation. 

1.3  FMECA  Guidelines 

A  number  of  government  standards  require  the  performance  of  a  FMEA  or 
FMECA.  These  include: 

MIL-STD-785,  "Reliability  Program  for  Systems  and  Equipment  Development 
and  Production,"  This  standard  imposes  the  requirement  to  perform  Task  204, 
"Failure  Mode,  Effects  and  Criticality  Analysis."  It  gives  guidance  as  to  when  the 
task  is  to  be  performed  and  to  what  depth  it  should  be  done.  It  does  not  dictate 
how  the  analysis  is  to  be  performed. 

MIL-STD-1543,  "Reliability  Program  Requirements  for  Space  and  Launch 
Vehicles,"  This  document  is  similar  in  many  respects  to  MIL-STD-785.  It  also 
imposes  the  requirement  to  perform  Task  204,  "Failure  Mode,  Effects  and 
Criticality  Analysis."  It  gives  guidance  as  to  when  the  task  is  to  be  performed 
and  to  what  depth  it  should  be  done  but  does  not  dictate  how  the  analysis  is  to 
be  performed. 
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NASA  NHB  5300.4,  "Reliability  Program  Provisions  for  Aeronautical  and  Space 
Contractors,"  This  document  is  similar  in  some  respects  to  MIL -STD-785.  It 
imposes  the  requirement  to  perform  an  FMECA  and  gives  guidance  as  to  when 
the  task  is  to  be  performed  and  to  what  depth  it  should  be  done  but  it  does  not 
dictate  how  the  analysis  is  to  be  performed. 

There  are  many  published  papers,  especially  those  found  in  the  Annual 
Reliability  and  Maintainability  Symposium  Proceedings,  suggesting  various  unique 
approaches  to  FMECA.  A  comprehensive  bibliographic  listing  of  such  papers  may 
be  found  in  Appendix  B.  The  vast  majority  of  FMEAs  and  FMECAs  performed 
today  are  generally  performed  in  accordance  with  MIL-STD-1629,  "Procedure  for 
Performing  a  Failure  Mode,  Effects  and  Criticality  Analysis."  Nevertheless,  there  are 
currently  two  other  generally  recognized  FMEA/ FMECA  guideline  documents 
which  may  be  of  interest  to  the  reader.  They  are: 

1)  IEEE  Std  352-1975/ANSI  N411.4  1976,  "IEEE  Guide  for  General  Principles  of 
Reliability  Analysis  of  Nuclear  Power  Generating  Station  Protection 
Systems,"  provides  a  detailed  example  of  an  FMEA  is  given  in  Section  8  of 
this  document. 

2)  SAE  G-ll,  "Reliability,  Maintainability  and  Supportability  Guidebook," 
closely  parallels  the  techniques  found  in  MIL-STD-1629. 

1.4  Scope 

The  procedures  called  out  in  MIL-STD-1629A  are  the  most  widely  accepted 
methods  throughout  the  military  and  commercial  industry.  The  primary  objective 
of  this  document  is  to  educate  the  reader  on  the  analytical  techniques  and  guidelines 
for  performing  a  FMECA  according  to  the  methods  described  in  MIL-STD-1629. 
These  guidelines  may  be  tailored  to  meet  specific  customer  needs. 
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2.0  BACKGROUND  AND  DEFINITION 

The  FMECA  was  originally  developed  by  the  National  Aeronautics  and  Space 
Administration  (NASA)  to  improve  and  verify  the  reliability  of  space  program 
hardware.  MIL -STD-785,  entitled  "Reliability  Program  for  System  and  Equipment 
Development  and  Production,"  Task  204,  Failure  Mode,  Effects  and  Criticality 
Analysis  calls  out  the  procedures  for  performing  a  FMECA  on  equipment  or 
systems.  MIL-STD-1629  is  the  military  standard  that  establishes  requirements  and 
procedures  for  performing  a  FMECA,  to  evaluate  and  document,  by  failure  mode 
analysis,  the  potential  impact  of  each  functional  or  hardware  failure  on  mission 
success,  personnel  and  system  safety,  maintainability  and  system  performance.  Each 
potential  failure  is  ranked  by  the  severity  of  its  effect  so  that  corrective  actions  may 
be  taken  to  eliminate  or  control  design  risk.  High  risk  items  are  those  items  whose 
failure  would  jeopardize  the  mission  or  endanger  personnel.  The  techniques 
presented  in  this  standard  may  be  applied  to  any  electronic  or  mechanical 
equipment  or  system.  MIL-STD-1629  is  applicable  during  the  development  phases 
of  all  DoD  systems  and  equipment  as  well  as  commercial  and  industrial  products. 

2.1  Definition  of  FMECA  Terms 

The  following  list  describes  important  terms  often  used  in  FMECA. 

Compensating  Provision:  Actions  available  or  that  can  be  taken  to  negate  or 
reduce  the  effect  of  a  failure  on  a  system. 

Corrective  Action:  A  documented  design,  process  or  procedure  change  used  to 
eliminate  the  cause  of  a  failure  or  design  deficiency. 

Criticality:  A  relative  measure  of  the  consequences  of  a  failure  mode  and  the 
frequency  of  its  occurrence. 

Criticality  Analysis  (CA):  A  procedure  by  which  each  potential  failure  mode  is 
ranked  according  to  the  combined  influence  of  severity  and  probability  of 
occurrence. 

Damage  Effects:  The  results  or  consequences  a  damage  mode  has  upon  system 
operation,  or  function. 

Damage  Mode:  The  way  by  which  damage  occurs  and  is  observed. 
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Damage  Mode  and  Effects  Analysis:  The  analysis  of  a  system  or  equipment  to 
determine  the  extent  of  damage  sustained  from  given  levels  of  weapon  damage 
mechanisms  and  the  effects  of  such  damage  on  the  continued  operation  and 
mission  of  the  specified  system  or  equipment. 

Detection  Method:  The  method  by  which  a  failure  can  be  discovered  by  the 
system  operator  under  normal  system  operation  or  by  a  maintenance  crew 
carrying  out  a  specific  diagnostic  action. 

End  Effect:  The  consequence  a  failure  mode  has  upon  the  operation,  function  or 
status  at  the  highest  indenture  level. 

Failure  Cause:  The  physical  or  chemical  processes,  design  defects,  quality  defects, 
part  misapplication  or  other  processes  which  are  the  basic  reason  for  failure  or 
which  can  initiate  the  physical  process  by  which  deterioration  proceeds  to 
failure. 

Failure  Effect:  The  consequence  a  failure  mode  has  upon  the  operation,  function 
or  status  of  a  system  or  equipment. 

Failure  Mode:  The  way  in  which  a  failure  is  observed,  describes  the  way  the 
failure  occurs,  and  its  impact  on  equipment  operation. 

Fault  Isolation:  The  process  of  determining  the  location  of  a  fault  to  the 
indenture  level  necessary  to  effect  repair. 

Indenture  Levels:  The  levels  which  identify  or  describe  the  relative  complexity 
of  an  assembly  or  function. 

Local  Effect:  The  consequence  a  failure  mode  has  on  the  operation,  function  or 
status  of  the  specific  item  being  analyzed. 

Maintainability  Information:  A  procedure  by  which  each  potential  failure  mode 
in  a  system  is  analyzed  to  determine  how  the  failure  is  detected  and  what 
actions  will  be  needed  to  repair  the  failure. 

Mission  Phase  Operational  Mode:  The  statement  of  the  mission  phase  and  mode 
of  operation  of  the  system  or  equipment  in  which  the  failure  occurs. 

Next  Higher  Level  Effect:  The  consequence  a  failure  mode  has  on  the  operation, 
functions,  or  status  of  the  items  in  the  next  higher  indenture  level  above  the 
specific  item  being  analyzed. 

Primary  Damage  Effects:  The  results  or  consequences  a  damage  mode  has 
directly  on  a  system  or  the  components  of  the  system. 
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Redundancy:  The  existence  of  more  than  one  means  for  accomplishing  a  given 
function. 

Secondary  Effects:  The  results  or  consequences  indirectly  caused  by  the 
interaction  of  a  damage  mode  with  a  system,  subsystem  or  component  of  the 
system. 

Severity:  Considers  the  worst  possible  consequence  of  a  failure  classified  by  the 
degree  of  injury,  property  damage,  system  damage  and  mission  loss  that  could 
occur. 

Single  Point  Failure:  The  failure  of  an  item  which  can  result  in  the  failure  of  the 
system  and  is  not  compensated  for  by  redundancy  or  alternative  operational 
procedure 

2.2  MIL-STD-1629  Tasks 

MIL-STD-1629  is  comprised  of  five  major  procedural  tasks.  Tasks  101-105. 

Task  101  documents  the  procedure  for  performing  the  Failure  Mode  and  Effects 
Analysis  (FMEA).  The  purpose  of  the  FMEA  is  to  identify  the  results,  or  effects,  of 
an  item's  failure  on  system  operation  and  to  classify  each  potential  failure  according 
to  its  severity.  The  FMEA  provides  quick  visibility  of  obvious  failure  modes  and 
identifies  potential  single  failure  points  which  can  be  eliminated  or  minimized  with 
redesign.  The  procedure  for  completing  the  FMEA  is  as  follows: 

•  Define  system/functional  requirements  and  modes  of  operation 

•  Develop  reliability  models  (block  diagrams)  for  each  functional  mode 

•  Define  item  parameters /functions  required  for  success 

•  Define  item  failure  mode  effects  on  higher  levels 

Task  102  documents  the  procedure  for  performing  the  Criticality  Analysis  (CA). 
The  purpose  of  the  criticality  analysis  is  to  rank  each  potential  failure  mode 
identified  in  the  FMEA  Task  101,  according  to  the  combined  influence  of  severity 
classification  and  its  probability  of  occurrence.  The  criticality  analysis  supplements 
the  FMEA  and  should  therefore  not  be  performed  without  first  completing  a  FMEA. 
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Since  the  numbers  derived  during  the  CA  are  established  subjectively,  they  should 
only  be  used  as  indicators  of  relative  severity. 

Task  103  documents  the  procedure  for  performing  the  FMECA-Maintainability 
Analysis.  The  FMECA-Maintainability  Analysis  supplies  early  criteria  for 
Maintenance  Planning  Analysis  (MPA),  Logistic  Support  Analysis  (LSA)  and 
identifies  maintainability  design  features  that  require  corrective  action.  The 
FMECA-Maintainability  Analysis  is  dependent  upon  data  presented  in  the  FMEA 
and  should  therefore  not  be  performed  without  first  completing  a  FMEA. 

Task  104  documents  the  procedure  for  performing  a  Damage  Mode  and  Effects 
Analysis  (DMEA).  The  purpose  of  the  Damage  Mode  and  Effects  Analysis  is  to 
provide  early  criteria  for  survivability  and  vulnerability  assessments.  The  DMEA 
provides  data  related  to  damage  caused  by  a  specific  threat  mechanism  upon  system 
operation  and  mission  essential  functions. 

Task  105  documents  the  procedure  for  developing  a  FMECA  plan.  The  purpose 
of  the  FMECA  plan  is  to  document  a  contractor’s  planned  activities  while 
implementing  the  FMECA.  The  FMECA  plan  should  include  the  description  of  the 
contractor's  procedures  for  completing  the  assigned  tasks  as  well  as  the  following: 

•  Worksheet  formats 

•  Ground  rules  and  assumptions 

•  System  description 

•  Mission  phase 

•  Identification  of  indenture  levels 

•  Failure  definitions/distributions 

•  Mission  time 

•  Mechanism  for  feeding  FMECA  results  back  into  the  design  process 
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3.0  FMEA  ANALYSIS  TECHNIQUES 

The  FMEA  can  be  implemented  using  a  hardware  or  functional  approach.  Often, 
due  to  system  complexity,  the  FMEA  will  be  performed  as  a  combination  of  the  two 
types.  The  complexity  of  each  design,  its  state  of  development  and  the  data 
available,  will  dictate  the  analysis  approach  that  should  be  used.  Each  analysis  can 
begin  at  any  level  of  indenture  and  progress  in  an  upward  fashion. 

3.1  Hardware  Approach 

This  approach  lists  individual  hardware  items  and  analyzes  their  possible  failure 
modes.  This  approach  is  used  when  hardware  items  can  be  uniquely  identified 
from  the  design  schematics  and  other  engineering  data.  The  hardware  approach  is 
normally  used  in  a  bottom-up  manner.  Analysis  begins  at  the  lowest  indenture 
level  and  continues  upward  through  each  successive  higher  indenture  level  of  the 
system.  The  hardware  approach  should  be  used  after  the  design  process  has 
delivered  a  schematic  diagram,  mechanical  drawing  or  blueprint  with  each  part  and 
item  defined.  This  type  of  analysis  is  usually  the  final  FMEA  for  the  design.  To 
perform  a  hardware  FMEA  the  analyst  will  need: 

•  Complete  theory  or  knowledge  of  the  system 

•  Reliability  Block  Diagrams /Functional  Block  Diagrams 

•  Schematics 

•  Bill  of  Materials/Parts  list 

•  Definitions  for  indenture  levels 

The  analyst  must  identify  each  part  under  analysis  and  record  its  identification 
number  in  an  FMEA  worksheet.  A  sample  FMEA  worksheet  is  presented  in  Figure 
1.  The  failure  mode  and  effects  analysis  will  be  completed  by  identifying  the 
potential  failure  mode  and  cause  of  failure  of  each  hardware  item  in  the  system. 

The  effects  of  each  failure  mode  are  then  determined  by  propagating  <hat  failure 
through  each  level  of  indenture  (local,  next  higher  assembly  and  system  level).  The 
failure  detection  and  isolation  method  and  compensating  provisions  are  then 
recorded.  After  each  functional  block  at  the  system  level  has  been  analyzed,  outputs 
can  be  produced. 
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The  information  obtained  from  the  hardware  FMEA  output  must  indude  a  list 
of  hazard  risks  to  be  eliminated  or  reduced,  a  list  of  critical  single  point  failures  and 
a  list  of  failures  which  are  not  detectable  by  visual  inspection  or  built-in-test 
techniques. 

3.2  Functional  Approach 

This  approach  considers  the  function  of  each  item.  Each  function  can  be 
dassified  and  described  in  terms  of  having  any  number  of  associated  output  failure 
modes.  The  functional  approach  is  used  when  hardware  items  cannot  be  uniquely 
identified.  The  functional  method  should  be  employed  when  the  design  process  has 
developed  a  functional  block  diagram  of  the  system,  but  has  not  yet  identified 
specific  hardware  to  be  used.  This  method  is  utilized  early  in  the  design  process  and 
should  be  updated  as  the  design  matures  or  corrective  actions  are  taken.  To  perform 
a  functional  FMEA  the  analyst  will  need: 

•  System  definition  and  functional  breakdown 

•  Block  diagrams  of  the  system 

•  Theory  of  operation 

•  Ground  rules  and  assumptions 

•  Software  specifications 

The  analyst  performing  a  functional  FMEA  must  be  able  to  define  and  identify 
each  system  function  and  its  associated  failure  modes  for  each  functional  output. 
The  failure  mode  and  effects  analysis  is  completed  by  determining  the  potential 
failure  modes  and  failure  causes  of  each  system  function.  The  failure  mode 
probability  and  modal  failure  rate  can  then  be  approximated  if  a  criticality  analysis  is 
necessary.  The  failure  mode  probability  is  the  percentage  of  time  (expressed  in 
decimal  format)  that  the  function  will  fail  in  a  given  mode.  The  modal  failure  rate 
is  defined  as  the  functional  failure  rate  (in  failures  per  million  hours)  multiplied  by 
the  probability  that  the  failure  mode  will  occur. 

The  effects  of  each  functional  failure  mode  are  then  determined  by  propagating 
the  effect  of  the  failure  through  each  higher  level  of  indenture.  The  failure 
detection  and  isolation  method  and  compensating  provisions  are  then  recorded. 
After  each  functional  block  of  the  system  level  of  indenture  has  been  analyzed. 
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outputs  can  be  produced.  All  information  is  recorded  on  a  FMEA  worksheet  (Figure 

1). 


The  information  derived  from  the  functional  FMEA  output  must  include  a  list 
of  hazard  risks  to  be  eliminated  or  reduced,  a  list  of  critical  single  point  failures  and 
list  of  undetectable  failures. 

3.3  FMEA  Tailoring 

The  complexity  or  application  of  many  systems  may  require  a  combination  of 
hardware/functional  analysis.  The  FMEA  may  be  tailored  to  address  any  type  of 
system  at  any  stage  of  development. 

Such  tailoring  can  include,  changes  in  the  type  of  analysis,  level  of  analysis  (card, 
system,  card  output,  assemblies),  and  method  used  to  perform  the  analysis.  An 
immature  system  may  consist  of  partially  designed  subassemblies,  completed 
subassemblies,  or  conceptual  designs.  In  the  case  of  conceptual  and  partially 
designed  subassemblies,  card  outputs  can  be  analyzed  using  the  functional  approach. 
The  completed  subassembly  can  be  analyzed  using  the  hardware  approach  down  to 
the  component  level. 
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4.0  CRITICALITY  ANALYSIS  <CA) 

The  criticality  analysis  (CA),  like  the  FMEA,  is  performed  concurrently  as  part  of 
the  system  design  process.  The  CA  begins  as  an  integral  part  of  the  early  design 
process  and  is  updated  as  the  design  evolves.  The  CA  produces  a  relative  measure 
of  significance  of  the  effect  a  failure  mode  has  on  the  successful  operation  and  safety 
of  the  system.  The  CA  is  completed  after  the  local,  next  higher  level  and  end  effects 
of  a  failure  have  been  evaluated  in  the  FMEA.  When  the  FMEA  is  combined  with 
the  CA,  the  analysis  is  called  the  Failure  Mode,  Effects  and  Criticality  Analysis.  The 
calculation  of  criticality  numbers  is  accomplished  by  completing  a  CA  worksheet 
(See  Figure  2). 

The  CA  worksheet  must  be  traceable  to  the  FMEA  worksheet  at  the  same 
indenture  level.  Information  developed  for  the  FMEA  such  as  identification 
numbers,  item  function,  failure  modes  and  causes,  mission  phase  and  severity 
classification  are  directly  transferred  to  the  CA  worksheets. 

To  perform  a  quantitative  criticality  analysis,  it  is  necessary  to  have  the 
completed  FMEA  as  well  as  information  on  the  system  such  as  system  mission, 
definition  of  failures,  severity  categories  and  part  failure  rate  information.  Alpha 
and  Beta  values  representing  failure  mode  ratio  and  failure  effect  probability 
respectively,  are  also  entered  on  the  CA  worksheet  in  a  quantitative  criticality 
analysis. 

Alpha  represents  the  probability,  expressed  as  a  decimal  fraction,  that  the  given 
part  or  item  will  fail  in  the  identified  mode.  Beta  represents  the  conditional 
probability  that  the  failure  effect  will  result  in  the  identified  criticality  classification, 
given  that  the  failure  mode  occurs. 

The  CA  can  be  completed  using  either  a  qualitative  or  quantitative  approach. 
The  level  of  availability  of  part  configuration  and  failure  rate  data  will  determine 
the  analysis  approach  to  be  used.  The  qualitative  approach  is  used  when  specific 
part  or  item  failure  rates  are  not  available.  The  quantitative  approach  is  used  when 
there  is  sufficient  failure  rate  data  available  to  calculate  item  criticality  numbers. 
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4.1  Qualitative  Approach 


The  FMEA  identifies  failure  modes  in  terms  of  probability  of  occurrence  levels 
when  failure  rate  data  is  not  available.  Therefore,  failure  mode  ratio  and  failure 
mode  probability  are  not  used  in  this  type  of  analysis.  The  probability  of  occurrence 
of  each  failure  is  grouped  into  discrete  levels.  An  example  is  given  below  (Items  A- 
E).  These  values  are  based  on  the  analyst's  judgment  of  how  often  the  failure  mode 
will  occur.  These  levels  establish  the  qualitative  failure  probability  level  for  entry 
into  the  CA  worksheet  format.  The  failure  mode  probability  of  occurrence  levels 
(frequency)  are  defined  as: 

A)  Level  A  -  Frequent:  A  high  probability  of  occurrence  during  the  item 
operating  time  interval.  High  probability  may  be  defined  as  a  single  failure 
mode  probability  greater  than  .20  of  the  overall  probability  of  failure  during 
the  item  operating  time  interval. 

B)  Level  B  -  Reasonably  Probable:  A  moderate  probability  of  occurrence  during 
the  item  operating  time  interval.  Probability  may  be  defined  as  a  single 
failure  mode  probability  of  occurrence  which  is  more  than  .1  but  less  than 
.20  of  the  overall  probability  of  failure  during  the  item  operating  time 
interval. 

Q  Level  C  -  Occasional:  An  occasional  probability  of  occurrence  during  the 
item  operating  time  interval.  Occasional  probability  may  be  defined  as  a 
single  failure  mode  probability  of  occurrence  which  is  more  than  .01  but  less 
than  .1  of  the  overall  probability  of  failure  during  the  item  operating  time 
interval. 

D)  Level  D  -  Remote:  An  unlikely  probability  of  occurrence  during  the  item 
operating  time  interval.  Remote  probability  may  be  defined  as  a  single 
failure  mode  probability  of  occurrence  which  is  more  than  .001  but  less  than 
.01  of  the  overall  probability  of  failure  during  the  item  operating  time 
interval. 

E)  Level  E  -  Extremely  Unlikely:  A  failure  whose  probability  of  occurrence  is 
essentially  zero  during  the  operating  time  interval.  Extremely  unlikely  may 
be  defined  as  a  single  failure  mode  probability  of  occurrence  which  is  less 
than  .001  of  the  overall  probability  of  failure  during  the  item  operating  time 
interval. 


It  should  be  noted  that  the  overall  probability  of  occurrence  for  item  failure  is  not 
known.  Therefore,  MIL-STD-1629  incorrectly  defines  the  probability  of  occurrence 
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levels.  To  be  useful,  the  analyst  must  realize  the  defined  levels  are  for  reference 
only.  These  levels  must  be  tailored  for  each  analysis  based  on  the  analysts  judgment 
of  failure  mode  frequency  for  each  specific  application.  The  analyst  should  tailor  the 
analysis  to  focus  on  significant  components  or  subassemblies  where  failures  will 
result  in  undesirable  system  level  effects.  Since  frequency  of  failure  is  dependent  on 
failure  rate,  and  failure  rate  is  not  used  in  this  type  of  analysis,  the  analyst  must 
approximate  the  anticipated  probabilities. 

The  failure  probability  levels  should  be  modified  as  the  system  becomes  mature. 
As  part  configuration  and  failure  rate  data  become  available,  actual  criticality 
numbers  should  be  derived  using  the  quantitative  approach  and  entered  into  the 
analysis. 

4.2  Quantitative  Approach 

The  part  or  item  failure  rate  data  is  required  for  the  quantitative  approach  to 
criticality  analysis.  Failure  rates  can  be  derived  or  extracted  from  numerous  data 
sources  including: 

•  MIL-HDBK-21 7  "Reliability  Prediction  of  Electronic  Equipment" 

•  Bell  Communications  TA  000-23620-84-01  "Reliability  Prediction  Procedure 
for  Electronic  Equipment" 

•  Nonelectronic  Parts  Reliability  Data  (NPRD-91),  Reliability  Analysis  Center 
(RAC) 

•  Vendor  test  data 

•  Contractor  in-house  test  or  field  experience  data 

The  value  of  each  failure  mode  criticality  number  is  defined  as: 

Cm  =  {kxXpt 

where 

Cm  =  Failure  mode  criticality 
P  =  The  conditional  probability  of  mission  loss 
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a  =  Failure  mode  ratio 

Xp  «  Part  failure  rate  (in  failures  per  million  hours) 

t  =  Duration  of  applicable  mission  phase  expressed  in  hours  or  number 
of  operating  cycles 

Since  the  failure  mode  ratio  (a)  and  failure  effect  probability  0)  are  needed  to 
perform  this  analysis,  it  is  necessary  to  determine  how  and  why  each  variable  is 
used  as  well  as  where  these  variables  were  derived.  In  this  manner,  alpha  and  beta 
can  be  applied  correctly.  Many  systems  contain  parts  that  have  different  duty  cycles 
during  a  mission.  The  factor  "tH  is  used  to  express  the  duration  of  time  a  particular 
item  functions  during  a  specific  mission  phase. 

4.3  Derivation  of  Alpha 

Alpha  (failure  mode  ratio,  a)  is  defined  by  MTL-STD- 1 629,  as  "the  fraction  of  the 
part  failure  rate  (Xp)  related  to  the  particular  failure  mode  under  consideration...". 

This  definition  is  confusing  as  it  seems  to  say  that  a  is  a  portion  of  the  failure  rate. 
This  is  actually  the  definition  of  modal  failure  rate,  which  will  be  discussed  later. 
Alpha  is  the  probability,  expressed  as  a  decimal  fraction,  that  the  given  part  or  item 
will  fail  in  the  identified  mode.  If  all  of  the  potential  failure  modes  for  a  device  are 
considered,  the  sum  of  the  alphas  will  equal  one.  Determining  alpha  is  done  as  a 
two  part  process  for  each  component  being  analyzed.  First,  the  failure  modes  are 
determined  and  secondly,  modal  probabilities  are  assigned. 

Modal  failures  represent  the  different  ways  a  given  part  is  known,  or  has  been 
"observed",  to  fail.  It  is  important  to  make  the  distinction  that  a  failure  mode  is  an 
"observed"  or  "external"  effect  so  as  not  to  confuse  failure  mode  with  failure 
mechanism.  A  failure  mechanism  is  a  physical  or  chemical  process  flaw  caused  by 
design  defects,  quality  defects,  part  misapplication,  or  other  processes.  It  describes 
the  basic  reason  for  failure  or  the  physical  process  by  which  deterioration  proceeds  to 
failure.  For  example,  a  cracked  die  within  a  transistor  may  cause  an  open  circuit 
from  the  collector  to  emitter.  In  this  example,  the  failure  mode  would  be  the  "open 
circuit  from  the  collector  to  emitter”  while  the  failure  mechanism  would  be  the 
"cracked  die  within  the  transistor".  Each  part  type  has  a  set  of  associated  failure 
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modes.  For  example,  a  Bipolar  transistor,  NPN  type,  has  been  observed  to  exhibit 
the  following  failure  modes: 

•  Low  collector  to  emitter  breakdown  voltage 

•  Excessive  emitter  to  base  leakage 

•  Open  circuit,  collector  to  emitter 

Common  part  failure  modes  can  be  derived  from  a  variety  of  sources,  of  which 
several  are  presented  in  Section  4.4. 

Once  common  part  failure  modes  have  been  identified,  modal  probabilities  (a) 
are  assigned  to  each  failure  mode.  This  number  represents  the  percentage  of  time, 
in  decimal  format,  that  the  device  is  expected  to  fail  in  that  given  mode.  This 
number  is  statistically  derived  and  is  given  as  a  percentage  of  the  total  observed 
failures.  Using  the  Bipolar  transistor  example,  the  probabilities  of  occurrence  for 
each  failure  mode  are  as  follows: 


PART  FAILURE  MODES 

FAILURE  MODE  RATIO  (a) 

Low  collector  to  emitter  breakdown  voltage 

.34 

or 

34% 

Excessive  emitter  to  base  leakage 

.57 

or 

57% 

Open  circuit,  collector  to  emitter 

.09 

or 

9% 

The  sum  of  the  modal  probabilities  is 

1.00 

or  100% 

The  Modal  Failure  Rate  is  the  fraction  of  the  devices  total  failure  rate  based  on 
the  probability  of  occurrence  of  that  failure  mode.  This  allows  for  the 
apportionment  of  the  total  device  failure  rate  into  device  failure  mode  failure  rates. 
The  sum  of  the  modal  failure  rates  for  an  item  will  equal  the  total  item  failure  rate 
providing  all  part  failure  modes  are  accounted  for.  The  modal  failure  rate  is  given 
by  the  equation: 

Xm=ctXp 


where: 

=  the  modal  failure  rate 

a  =  the  probability  of  occurrence  of  the  failure  mode 
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Xp  =  the  component  failure  rate 

For  example7  assume  that  a  Bipolar  transistor  has  a  failure  rate  of  .12345 
failures/million  hours.  Using  this  information  in  conjunction  with  the  failure 
mode  distributions  previously  presented,  modal  failure  rates  for  each  transistor 
failure  mode  can  be  calculated  as  follows: 


PART  FAILURE  MODES 

a 

Xp 

Xm 

Low  C  to  E  breakdown  voltage 

.34 

X 

.12345 

.04197 

Excessive  E  to  B  leakage 

.57 

X 

.12345 

= 

.07036 

Open  circuit,  C  to  E 

.09 

X 

.12345 

= 

.01111 

TOTALS 

1.00 

Item  Failure  Rate 

.12345 

4.4  Sample  Sources  of  Failure  Mode  Distribution  Data 

Component  failure  mode  distribution  information  is  available  from  a  variety  of 
sources.  Many  FMECA's  are  accomplished  with  failure  mode  distributions  based  on 
a  compilation  of  in-house  failure  analysis  from  actual  field  failure  returns.  This 
type  of  information  is  typically  a  better  indicator  of  field  performance  than  the 
generic  data  found  in  published  sources.  Most  often,  data  specific  to  an  exact  part 
type  or  exact  part  number  item  can  not  be  obtained.  In  these  cases,  published 
literature  should  be  used  as  sources  for  generic  failure  mode  distribution  data. 
Some  are  listed  here: 

•  Chandler,  Gregory,  William  Denson,  Michael  Rossi,  and  Richard  Wanner. 
Failure  Mode /Mechanism  Distributions  1991.  Report  No.  FMD-91, 
Reliability  Analysis  Center,  201  Mill  St.,  Rome,  NY:  1991. 

•  Gubbins,  L.J.  Study  of  Part  Failure  Modes.  Report  No.  RADC-TR-64  377, 
Rome  Air  Development  Center,  Griffiss  AFB,  NY  13441:  1964. 

•  Electronic  Reliability  Design  Handbook.  MIL-HDBK-338,  Rome  Air 
Development  Center,  Griffiss  AFB,  NY,  13441:  1982. 
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•  NQnetegtreiUC  Mlability  Notebook-  Report  No.  RADC-TR-75-22,  Rome  Air 
Development  Center,  RADC/RBRS,  Griffiss  AFB,  NY,  13441:  1975. 

•  Smith,  D.J.  Reliability  and  Maintainability  in  Perspective.  New  York:  John 
Wiley  and  Sons,  1985. 

•  David,  S.E.  and  A.R.  Granier.  "Specification  of  Hybrid  Microcircuits  for  Use 
of  European  Space  Projects,"  International  Microelectronic  Symposium. 
(1975),  p.412-416. 

Most  of  these  sources  contain  limited  failure  mode  distribution  data  on  generic  part 
types.  Most  often,  sources  for  this  type  of  data  cover  a  wide  range  of  common  part 
types  but  very  limited  coverage  is  given  for  application  specific  devices.  There  are  a 
number  of  sources  dealing  with  failure  mode  distributions  of  unique  part  types  such 
as: 


•  Collins,  J.A.,  C.M.  Eallonardo,  and  J.W.  Hansen.  Reliability  Design  Criteria 
for  High  Power  Tubes-Review  of  Tube  and  Tube  Related  Technology. 
Report  No.  RADC-TR-88-304,  Rome  Air  Development  Center, 
RADC/RBET,  Griffiss  AFB,  NY,  13441:  1989. 

•  Denson,  W.K.  and  P.  Brusius.  VHSIC/VHSIC-Like  Reliability  Prediction 
Modeling.  Report  No.  RADC-TR-89-177,  Rome  Air  Development  Center, 
RADC/RBRA,  Grissiff  AFB,  NY,  13441:  1989. 

•  Bowman,  L.S.  and  W.H.  Tarn.  "Reliability  and  Failure  Mechanisms  of 
GaAs  FETs,"  Proceedings  of  the  International  Symposium  for  Testing  and 
Failure  Analysis  (ISTFA).  (1981),  p.  69-74. 

In  each  of  the  previously  mentioned  sources,  data  is  summarized  from  field  failure 
data  using  basic  statistical  methods  to  provide  the  user  with  baseline  distributions 
for  each  component  type.  Often,  failure  distribution  data  is  not  available  for 
component  types  utilized  in  a  design.  In  cases  where  failure  mode  distributions  are 
unknown,  alpha  values  should  be  derived  by  the  FMECA  analyst  based  upon 
engineering  judgment  and  the  item's  functionality. 
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The  most  recently  developed  source  for  failure  mode  distribution  data  is  "Failure 
Mode/Mechanism  Distributions/'  FMD-91,  published  by  the  Reliability  Analysis 
Center  (RAC).  This  document  is  one  of  the  most  comprehensive  sources  of  part 
level  failure  distribution  information  available.  It  covers  a  wide  variety  of 
component  types.  This  document  was  compiled  from  approximately  50  sources  of 
failure  mode  information  including  failure  analysis  reports,  reliability  modeling 
studies,  RAC  data  summarization  activity  and  published  distributions  from  private 
research  organizations. 

Appendix  A  lists  example  failure  mode  distributions  which  may  be  used  in  a 
FMECA.  This  data  was  derived  from  FMD-91  data  tables. 

4.5  Derivation  of  Beta  ($) 

Beta  (p)  is  defined  as  the  failure  effect  probability  and  is  used  to  quantify  the 
described  failure  effect  for  each  mode  indicated  in  the  FMECA.  The  p  values 
represent  the  conditional  probability  that  the  described  failure  effect  will  result  in 
the  identified  criticality  classification,  given  that  the  failure  mode  occurs.  The  P 
values  represent  the  analyst's  best  judgment  as  to  the  likelihood  that  the  loss  will 
occur.  MIL-STD-1629  states  that  values  for  Beta  be  quantified  in  general  accordance 
with  Table  1. 


TABLE  1:  TYPICAL  FAILURE  EFFECT  PROBABILITIES  (p) 


FAILURE  EFFECT 

P  VALUE 

Actual  Loss 

1.00 

Probable  Loss 

>  0.10  to  <  1.00 

Possible  Loss 

>  0  to  0.10 

No  Effect 

0 

This  table  is  meant  to  provide  a  means  of  standardizing  failure  effect 
probabilities  based  on  a  relative  confidence  in  the  failure  effect's  occurrence. 

Though  the  methodology  behind  assigning  p  for  a  given  failure  mode  seems 
straightforward,  this  value  is  often  misinterpreted.  There  are  two  opposing 
interpretations  of  the  definition  as  indicated  in  the  military  standard.  This 
confusion  is  caused  by  the  conflict  between  the  written  definition,  and  the  table  of 
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failure  effect  probabilities.  The  written  definition  states  that  P  is  the  conditional 
probability  that  the  failure  effect  actually  falls  in  the  stated  classification,  assuming 
that  the  failure  mode  occurs.  This  value  is  implied  as  being  a  percentage  value  of 
confidence  that  the  individual  performing  the  FMECA  has  in  his  stated  failure 
effects.  The  second  interpretation  comes  from  the  table  of  failure  effect  probabilities 
listed  in  the  standard,  which  defines  P  as  the  probability  of  incurring  a  system  loss. 
This  approach  assigns  a  numerical  severity  classification  to  the  listed  effect. 

4.6  Proper  Use  of  P 

The  proper  use  of  p  in  a  FMECA  is  more  closely  related  to  the  first  of  the  two 
definitions  given  in  the  previous  section,  representing  the  engineers  judgment  of 
the  percentage  of  time  that  the  identified  failure  mode  will  cause  the  indicated 
failure  effect.  It  is  the  analyst's  determination,  based  on  his  knowledge  of  the 
system,  whether  the  occurrence  of  the  failure  mode  in  question  will  consistently 
cause  the  same  end  effect.  If  it  cannot  be  reasonably  stated  that  a  resulting  failure 
effect  will  occur  for  a  given  failure  mode,  the  FMECA  analyst  must  indicate  this  by 
assigning  a  relative  probability  of  occurrence  to  the  resultant  effect.  When  a  P  value 
of  less  than  one  is  observed  for  a  specific  failure  mode's  failure  effect,  additional 
failure  effects  for  the  same  failure  mode  must  be  indicated  and  weighted  such  that 
the  sum  of  the  p  values  adds  up  to  one.  In  these  instances,  P  is  used  to  quantify 
multiple  system  level  failure  effects  for  a  given  single  failure  mode.  Beta  is  a 
percentage  based  upon  the  FMECA  analyst's  judgment  of  the  probability  of 
occurrence  of  each  failure  mode's  system  level  failure  effect.  By  quantifying  the 
system  level  failure  effects  for  a  specific  failure  mode,  the  FMECA  provides  a  more 
accurate  view  of  an  item's  failure  mode  severity.  This  also  illustrates  that  there  can 
be  multiple  system  level  failure  effects  for  a  single  failure  mode. 

To  illustrate  of  the  proper  use  of  beta,  consider  a  brake  system  on  a  train.  If  a 
failure  mode  were  to  occur  which  caused  the  brakes  on  the  train  to  lock,  what 
potential  failure  effects  could  occur?  Most  analyst’s  would  consider  only  the  most 
mission  critical  failure  effect;  the  train  derailing.  Without  understanding  the  proper 
use  of  Beta,  the  FMECA  analyst  might  only  consider  the  worst  case  scenario  and 
overlook  other  "potential  system"  effects.  By  considering  only  the  worst  case 
scenario,  an  accurate  portrayal  of  the  actual  system  effects  for  this  failure  mode  is  not 
given.  The  most  probable  system  level  effect  under  normal  operating  conditions  is 
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that  the  train  would  suddenly  come  to  a  screeching  halt.  However,  there  is  a  chance 
that  the  train  could  skip  the  tracks  depending  upon  when  and  where  this  failure 
occurred.  If  $  is  applied  properly,  the  most  accurate  presentation  of  this  data  is  as 
follows: 


FAILURE  MODE 

FAILURE  EFFECT 

& 

Brakes  Lock 

1)  Train  skids  on  tracks  and  comes  to  a  stop 

.9 

2)  Train  derails 

.1 

Since  the  severity  of  these  two  effects  are  greatly  different,  the  failure  mode 
criticality  number  can  now  be  weighted  based  on  probability  of  occurrence. 

If  p  were  applied  incorrectly,  modal  criticality  numbers  (Cm)  for  the  device  in 

question  would  be  skewed.  A  common  error  made  by  FMECA  analysts  is  to  use  p  to 
address  the  probability  of  occurrence  of  only  the  most  severe  system  level  effect 
while  ignoring  the  other  possible  system  level  effects  resulting  from  that  failure 
mode.  Using  the  train  brake  example  and  assuming  Xp  =  .01  failures  per  million 

hours,  a  =  .5,  and  t  =  20  hours  for  the  "Brakes  Lock"  failure  mode,  the  modal 
criticality  would  be  calculated  as  follows: 

Cm  =  P  a  Xp  t 

Cm  =  (.1)(.5)(.01x10-6)(20) 

Cm  -  lx  10”®  (failure  effect  #2) 

This  is  only  part  of  the  modal  criticality  as  it  considers  only  one  of  the  known 
failure  effects.  The  other  portion  of  the  modal  criticality  number  is  calculated  as 
follows: 

^m  =  P  a  Xp  t 

Cm  =  (.9)(.5)(.01x10-6)(20) 

Cm  =  9  x  10'®  (failure  effect  #1) 

Therefore,  the  total  failure  mode  criticality  for  the  "Brakes  Lock"  failure  mode  is  the 
sum  of  these  two  values;  1  x  10'^. 
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4.7  Distribution  of  Failure  Rate  Across  Multiple  Device  Packages 

For  most  of  the  devices  listed  in  Appendix  A,  the  calculation  for  modal  failure 
rate  is  straightforward.  It  is  defined  as  the  probability  that  the  device  will  fail  in  the 
indicated  mode.  Therefore,  the  modal  failure  rate  is  calculated  by  multiplying  the 
item  failure  rate  by  the  modal  probability  (a)  for  that  failure  mode.  When  summing 
the  modal  failure  rates  for  all  possible  modes,  the  result  is  equal  to  the  total  part 
failure  rate.  A  slightly  different  approach  must  be  taken  when  dealing  with 
multiple  device  packages.  A  multiple  device  package  is  any  uniquely  classified 
component  type  that  is  internally  made  up  of  a  group  of  two  or  more  devices.  The 
failures  of  these  internal  devices  can  have  different  effects  on  system  operation. 

An  example  of  a  multiple  device  package  is  a  resistor  network.  When  the  failure 
rate  for  this  device  is  determined,  it  is  based  on  evaluating  the  device  as  a  whole. 
However,  the  effects  of  the  modal  failures  of  the  device  are  unique  to  each  resistor 
in  the  network.  To  accurately  weight  the  analysis,  the  failure  rate  must  be 
apportioned  among  the  individual  components  within  the  resistor  network. 
Failure  modes  and  modal  probabilities  are  then  identified  for  each  of  the  resistors 
within  the  network.  These  are  typically  consistent  from  one  resistor  to  the  next 
within  the  network,  assuming  that  they  are  of  the  same  type,  size,  and  quality  rating. 
The  modal  failure  rate  is  then  calculated  by  multiplying  the  portion  of  the  total 
device  failure  rate  applicable  to  the  individual  resistor  in  question  by  the  modal 
probability  for  that  specific  resistor.  The  sum  of  all  modal  failure  rates  will  equal  the 
total  device  failure  rate.  The  following  example  illustrates  this  process: 

Component  type:  Resistor  Network 

Part  Number:  Rnet 

Number  of  Resistors  in  Network:  10 

Failure  Rate  (Xp)  of  Resistor  Network:  .5 

Failure  Mode  Probability  (a):  Open  (.75) 

Short  (.25) 


Reliability  Analysis  Center  (RAC)  •  201  Mill  Street  •  Rome,  NY  134404916  •  (315)  337-0900 


CRTA-FMECA 


25 


Failure  Rate  of  Each  Resistor  Within  Network: 

Xp  of  Rnet(i)  =  (.5/10)  =  .05  failures  per  million  hours 

Modal  Failure  Rate  of  Each  Resistor  Within  Network: 
Xp  of  the  Rnet(i)  (open)  =  .05  x  .75  =  .0375 

Xp  of  Rnet(i)  (short)  =  .05  x  .25  =  .0125 


Failure  Rate  Summation: 


DEVICE 

FAILURE  RATE  (Xp(i)) 
FAIL/E6  HRS. 

MODAL  PROB. 

(a) 

MODAL  FAILURE 
RATE 

Rnet  (1) 

.05 

Open  .75 

.0375 

Short  .25 

.0125 

Rnet  (2) 

.05 

Open  .75 

.0375 

Short  .25 

.0125 

Rnet  (3) 

.05 

Open  .75 

.0375 

Short  .25 

.0125 

Rnet  (4) 

.05 

Open  .75 

.0375 

Short  .25 

.0125 

Rnet  (5) 

.05 

Open  .75 

.0375 

Short  .25 

.0125 

Rnet  (6) 

.05 

Open  .75 

.0375 

Short  .25 

.0125 

Rnet  (7) 

.05 

Open  .75 

.0375 

Short  .25 

.0125 

Rnet  (8) 

.05 

Open  .75 

.0375 

Short  .25 

.0125 

Rnet  (9) 

.05 

Open  .75 

.0375 

Short  .25 

.0125 

Rnet  (10) 

.05 

Open  .75 

.0375 

Short  .25 

.0125 

TOTALS 

.50 

.5000 
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This  scenario  commonly  applies  to  transistor  arrays,  diode  arrays,  digital  or 
analog  integrated  circuits  with  multiple  outputs,  multi-pole  /  multi- throw  switches, 
etc. 

Hybrid  devices  may  be  handled  a  number  of  different  ways.  The  hybrid  can  be 
treated  as  a  subsystem  with  its  internal  components  being  analyzed  as  components 
within  that  subsystem.  The  failure  effects  of  each  internal  component  failure  mode 
are  then  carried  out  to  the  package  pins  to  determine  the  effects  on  next  higher  and 
system  levels.  Another  approach  used  when  analyzing  hybrid  devices  is  to  treat  the 
hybrid  like  a  microcircuit  and  analyze  the  outputs.  In  this  case,  each  output  is  given 
the  failure  mode  distributions  relating  to  the  internally  connected  component. 

4.8  Definition  of  a  Criticality  Matrix 

The  Criticality  Matrix  provides  a  graphical  means  of  identifying  and  comparing 
failure  modes  for  all  components  within  a  given  system  or  subsystem  with  respect 
to  severity.  Severity  is  classified  in  four  categories  with  Level  I  being  the  most 
severe  (catastrophic)  and  Level  IV  being  the  least  severe  (minor).  These  levels  are 
specified  as  follows: 


DESCRIPTION 

CATEGORY 

MISHAP  DEFINITION 

I 

Death  or  system  loss. 

Critical 

n 

Severe  injury,  severe  occupational  illness, 
or  major  system  damage. 

Marginal 

m 

Minor  injury,  minor  occupational  illness, 
or  minor  system  damage. 

Minor 

IV 

Less  than  minor  injury,  occupational 
illness,  or  minor  system  damage. 

Severity  pertains  to  and  ranks  the  consequences  of  system  level  failure  mode 
effects.  The  matrix  is  constructed  by  inserting  item  reference  designators  or  failure 
mode  identification  numbers  into  matrix  locations  which  represent  severity 
classification  category  and  either  probability  of  occurrence  level  or  criticality  number 
for  each  item’s  failure  modes.  The  resulting  matrix  shows  the  relative  ranking  of 
criticality  for  each  item's  failures.  The  matrix  is  a  useful  tool  for  assigning  corrective 
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action  priorities.  As  shown  in  Figure  3,  the  further  along  the  diagonal  line  from  the 
origin  that  the  failure  mode  is  recorded/  the  greater  the  criticality  and  the  more 
urgent  the  need  for  corrective  action  implementation.  The  figure  also  illustrates 
how  either  the  criticality  number  used  in  a  quantitative  criticality  analysis,  or 
probability  of  occurrence  level  used  in  a  qualitative  criticality  analysis  can  be  used 
for  the  vertical  axis. 


INCREASING 

CRITICALITY 


SEVERITY  CLASSIFICATION 
(INCREASING  LEVEL  OF  SEVERITY  ->) 


♦NOTE:  BOTH  CRITICALITY  AND  PROBABILITY  OF  OCCURRENCE 
ARE  SHOWN  FOR  CONVENIENCE 

FIGURE  3:  CRITICALITY  MATRIX 
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4.9  Construction  of  Criticality  Matrix 

There  are  two  methods  to  organize  data  for  a  criticality  matrix.  As  shown  in 
Figure  3,  severity  classification  is  plotted  on  the  X-axis  in  order  of  increasing 
magnitude  from  a  Level  IV  failure  (minor)  to  a  Level  I  failure  (catastrophic).  What 
differs  is  the  presentation  of  information  to  be  plotted  in  terms  of  severity.  The  Y- 
axis  can  be  used  to  plot  criticality  or  probability  of  occurrence  based  upon  whether  a 
quantitative  or  qualitative  criticality  analysis  was  performed.  This  is  typically 
governed  by  the  amount  of  detailed  engineering  data  available  at  the  time  of 
analysis. 

Though  item  criticality  (Cr,  the  sum  of  a  part's  modal  criticalities  for  like  severity 

classifications)  is  a  factor  commonly  calculated  during  the  criticality  analysis  and 
used  in  the  criticality  matrix,  it  is  also  logical  to  use  modal  criticality  (Cm)  in  the 
criticality  matrix.  Item  criticality  is  calculated  using  the  following  formula: 


J  J 

Cf  =  (pocXpt)n  n  =  1,2,3,  •  •  •  j  or  C^.  =  (^m^n 

n=l  n=l 

where: 

=  Criticality  number  for  the  item  being  analyzed 

n  =  The  current  failure  mode  of  the  item  being  analyzed  for  a.  particular 
severity  classification 

j  =  The  number  of  failure  modes  for  the  item  being  analyzed  for  a 
particular  severity  classification 

Cm  =  Criticality  number  for  a  particular  failure  mode 


P  =  Probability  of  occurrence  of  the  resulting  failure  effect 
a  =  Failure  mode  ratio 

Xp  =  Part  failure  rate 

t  =  Duration  of  applicable  mission  phase  usually  expressed  in  hours  or 
number  of  operating  cycles. 


Item  criticality  (Cr)  is  the  summation  of  an  items  individual  failure  mode 
criticality  numbers  for  each  unique  severity  classification.  However,  using  Cr  in  the 
criticality  matrix  can  cause  single  point  failures  to  be  improperly  ranked.  When 
plotting  Cr  in  a  criticality  matrix,  the  user  must  understand  that  each  data  point  may 
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represent  multiple  failure  entires  causing  a  particular  part,  not  failure  mode,  to 
stand  out.  MIL-STD-1629  is  a  bit  unclear  in  its  discussion  of  criticality  analysis  and 
criticality  matrices  regarding  the  use  of  (Cr)  and  (Cm).  Failure  mode  criticality  (Cm)  is 
the  parameter  RAC  recommends  using  in  the  criticality  matrix  because  it 
immediately  identifies  the  severity  and  criticality  of  each  individual  failure  mode  so 
that  accurate  re-design  decisions  can  be  made  to  eliminate  the  most  severe  and 
likely  failure  modes. 

Figure  4  shows  an  example  of  a  quantitative  criticality  matrix  with  failure  mode 
criticality  being  plotted.  Failure  mode  criticality  is  calculated  using  the  following 
formula: 

where: 

Cm  =  Criticality  number  for  each  failure  mode 

0  =  Conditional  probability  of  failure  effect 

a  =  Failure  mode  ratio 

Ap  =  Part  failure  rate 

t  =  Duration  of  applicable  mission  phase  usually  expressed  in  hours  or 
number  of  operating  cycles. 

This  number,  Cm,  expresses  criticality  by  modal  elements.  The  resultant  graph 

provides  a  systematic  breakdown  of  this  data  and  allows  the  ranking  of  severity  as  a 
function  of  modal  failure  rate  and  specific  failure  effects  of  the  failure  mode 
indicated.  The  graphical  result  highlights  potentially  catastrophic  conditions 
making  them  readily  apparent  for  redesign  consideration. 

Figure  5  shows  another  example  of  a  quantitative  criticality  matrix  with  failure 
mode  criticality  being  plotted.  However,  this  example  considers  the  probability  of 
occurrence  of  the  stated  failure  effect,  (0).  Failure  mode  criticality  is  calculated  in  the 
same  way  as  was  previously  described;  however,  in  this  case  the  failure  modes  are 
further  detailed  based  upon  multiple  failure  effects  through  the  use  of  0.  In  this 
example,  it  was  determined  that  the  "open"  failure  mode  of  the  resistor  could 
realistically  cause  two  potential  failure  effects.  The  first  having  a  .9  probability  of 
causing  a  minor  effect  and  the  second  having  a  .1  probability  of  causing  a 
catastrophic  effect. 
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Component  type:  Metal  Film  Resistor 
Part  Number:  R1 

Failure  Rate:  (Xp):  .5  failures  per  million  hours 

Failure  Mode  Probability  (a):  Open  (.75) 

Short  (.25) 

Time  (t):  1  hour 

Failure  Effect  Probability  (f3):  1 

Failure  Mode  Criticality:  Cm  =  (jl)(a)(Xp)(t) 

Cm(open)  =  (1  x  .75  x  [5  x  10-6]  x  1) 

=  .375  x  10-6 

Cm(short)  =  (lx. 25  [.5xl0^]xl) 

=  .125x10-6 

•  assume  a  "open"  failure  mode  could  cause  a  catastrophic  effect 

•  assume  a  "short”  failure  mode  could  cause  a  minor  effect 


Severity  Classification 

FIGURE  4:  CRITICALITY  MATRIX  (EXAMPLE  1) 
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Component  type:  Metal  Film  Resistor 
Part  Number:  R1 

Failure  Rate:  (Ap):  .5  failures  per  million  hours 

Failure  Mode  Probability  (a):  Open  (.75) 

Short  (.25) 

Time  (t):  1  hour 

Failure  Effect  Probability  ((5):  .9,  .1 

Failure  Mode  Criticality  per  Failure  Effect:  Cm  =  ((3)(a)(Xp)(t) 

Cml(open)  =  (.9x.75x[.5xl0-6]xl) 
=  .3375  x  10-6 

Cm2(open)  =  (.1  x  .25  [.5  x  10-6]  x  1) 
=  .0375x10-6 

Cm(short)  =  (1  x  .25  x  [.5  x  lO-6]  x  1) 
=  .125x10-6 


Severity  Classification 

FIGURE  5:  CRITICALITY  MATRIX  (EXAMPLE  2) 
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This  number,  Cm(i),  further  defines  the  modal  criticality  based  on  the  multiple 

effects  of  each  failure  mode  and  the  corresponding  severities  associated  with  them. 
The  resultant  matrix  provides  a  more  specific  breakdown  of  the  FMECA  data 
allowing  the  ranking  of  severity  as  a  function  of  the  probability  of  occurrence  for 
each  effect  multiplied  by  the  modal  failure  rate  causing  the  indicated  mode  effect. 

Figure  6  shows  an  example  of  the  qualitative  approach  to  developing  a  criticality 
matrix.  In  the  qualitative  approach,  probability  of  occurrence  levels  are  defined  for 
each  component  analyzed  and  are  used  in  place  of  the  criticality  numbers  on  the  Y- 
axis.  Probability  of  occurrence  is  divided  into  5  levels,  A  through  E,  as  defined  in 
Section  4.1  of  this  report.  These  levels  refer  to  the  relative  probability  of  failure 
occurrence  of  the  item  being  analyzed.  (The  term  "Probability  of  Occurrence"  is  not 
to  be  confused  with  the  definition  of  Beta  (0),  which  is  the  probability  of  occurrence 
of  a  specific  failure  effect.)  The  matrix  shows  the  severity  of  the  effect  of  the  item's 
failure  vs.  the  probability  of  occurrence  of  that  item’s  failure.  As  indicated  in 
Section  4.1,  the  qualitative  analysis  method  attempts  to  quantify  its  results.  A  useful 
qualitative  criticality  analysis  must  be  tailored  to  each  specific  item/system.  The 
overall  failure  mode  probability  of  occurrence  level  for  a  given  item  must  be  based 
on  sound  engineering  judgment  for  that  particular  system/item.  The  levels  defined 
in  MIL-STD-1629  are  meant  to  be  guidelines,  not  defined  levels.  The  qualitative 
criticality  matrix  will  display  the  relative  probability  of  occurrence  of  failure  for  the 
item  being  analyzed  based  on  those  predetermined  levels  defined  by  the  analyst,  and 
stated  in  the  FMECA  plan. 

4.10  How  to  Use  and  Read  a  Criticality  Matrix 

The  criticality  matrix  provides  a  visual  representation  of  the  critical  areas  of  a 
system.  By  knowing  how  to  properly  use  and  read  a  criticality  matrix,  the  user  can 
make  educated  decisions  when  addressing  potentially  hazardous  single  point 
failures.  Regardless  as  to  which  of  the  types  of  data  are  presented  in  the  criticality 
matrix,  the  relative  order  of  importance  for  items  of  concern  remains  the  same. 
Items  displayed  in  the  upper  most  right  hand  corner  of  the  matrix  require  the  most 
immediate  attention.  These  failures  have  a  high  probability  of  occurrence  and  a 
catastrophic  effect  on  system  operation  or  personnel  safety.  As  you  move  diagonally 
towards  the  lower  left  hand  comer  of  the  matrix,  the  criticality  and  severity  of 
potential  failures  decreases.  In  cases  where  failures  display  the  same  relative 
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FIGURE  6:  CRITICALITY  MATRIX  (QUALITATIVE  APPROACH) 
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severity  and  criticality/  it  must  be  determined  whether  safety  or  cost  is  the  driving 
factor  of  the  analysis.  If  safety  is  more  of  a  concern/  items  shown  on  the  right  of  the 
diagonal  line  require  the  most  re-design  attention,  because  the  effects  of  their 
failures  are  more  severe  even  though  their  criticality  ranking  may  be  less.  If  cost  is  a 
major  concern,  items  to  the  left  of  the  diagonal  line  require  attention,  because  the 
high  criticality  numbers  reflect  higher  failure  probability.  However,  in  situations 
where  human  life  is  a  risk,  safety  is  always  the  primary  consideration. 

When  items  are  deemed  critical  by  their  location  in  the  criticality  matrix,  some 
means  of  corrective  action  must  be  employed  to  eliminate  or  reduce  the  chance  or 
effects  of  their  failures.  One  option  is  to  replace  the  component  in  question  with 
one  of  a  higher  quality  rating.  This  would  reduce  the  failure  rate  of  the  device  and 
thus  the  probability  of  this  catastrophic  effect.  If  it  can  be  determined  that  the 
device's  high  criticality  ranking  is  due  to  an  overstress  condition,  replacing  the 
component  with  one  which  has  greater  power  handling  capability  would  solve  the 
problem. 

If  the  quality  level  or  power  rating  of  the  device  is  not  the  problem,  a  circuit 
redesign  may  be  necessary.  This  could  be  costly  and  time  consuming  depending  on 
how  far  the  design  process  has  progressed  and  may  in  fact  lead  to  more  reliability 
problems.  The  use  of  redundancy  in  the  circuit  may  provide  a  simple  and  cost 
effective  solution.  By  employing  redundancy,  duplicate  circuitry  is  constructed  such 
that  it  serves  as  a  backup  for  a  critical  single  point  failure.  Though  the  initial  failure 
of  the  component  cannot  be  avoided,  the  effect  of  the  failure  will  no  longer  be 
catastrophic  since  a  compensating  provision  (the  redundant  circuit)  will  serve  to 
operate  in  its  place.  However,  the  ideal  situation,  is  to  feedback  and  utilize  FMECA 
results  during  the  initial  stages  of  the  design  process,  so  that  early  iterations  of  the 
design  contain  the  "right"  solution. 
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5.0  FMECA  ANALYSIS  PROCESS 

The  following  logical  steps  should  be  followed  when  performing  an  FMECA: 

•  Define  the  system 

•  Define  ground  rules  and  assumptions  in  order  to  help  drive  the  design 

•  Construct  system  block  diagrams 

•  Identify  failure  modes  (part  level  or  functional) 

•  Analyze  failure  effects/causes 

•  Feed  results  back  into  design  process 

•  Classify  the  failure  effects  by  severity 

•  Perform  criticality  calculations 

•  Rank  failure  mode  criticality 

•  Determine  critical  items 

•  Feed  results  back  into  design  process 

•  Identify  the  means  of  failure  detection,  isolation  and  compensation 

•  Perform  maintainability  analysis 

•  Document  the  analysis,  summarize  uncorrectable  design  areas,  identify 
special  controls  necessary  to  reduce  failure  risk 

•  Make  recommendations 

•  Follow  up  on  corrective  action  implementation/effectiveness 

5.1  Procedure 

In  FMECA,  each  single  item  failure  is  analyzed  and  its  resulting  effects 
documented.  Each  single  item  failure  is  assumed  to  be  the  only  failure  in  the 
system.  However,  MIL-STD-1629  states  that  if  a  single  item  failure  is  non-detectable, 
the  analysis  should  be  continued  to  include  the  effects  of  any  secondary  failures 
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which,  when  combined  with  the  original  failure,  presents  a  critical  failure 
condition.  If  a  redundant  or  back-up  design  has  been  utilized  in  the  system,  the 
analysis  should  include  the  failure  conditions  which  resulted  in  the  need  for  that 
redundant  or  back-up  design.  It  is  inconceivable  to  analyze  every  possible  multi¬ 
failure  scenario  resulting  in  adverse  operating  conditions  due  to  time  and  cost 
constraints.  This  type  of  analysis  is  better  accomplished  using  Fault  Tree  Analysis 
(FTA).  RAC  has  published  a  fault  tree  analysis  handbook  which  discusses  this 
analytical  technique  in  great  detail.  See  Appendix  C  for  ordering  information.  All 
single  point  failures  identified  during  the  FMECA  analysis  should  be  identified  on 
the  FMECA  worksheets.  Figure  1  (Section  3.1)  shows  an  example  worksheet.  A 
typical  "quick"  reference  FMECA  flow  diagram  is  illustrated  in  Figure  7. 

5.2  System  Definition 

The  necessary  first  step  in  completing  the  FMECA  is  to  define  the  system  to  be 
analyzed.  The  complete  system  definition  includes  the  identification  of  internal 
and  interface  functions,  the  performance  of  the  system  at  each  indenture  level, 
system  restraints,  and  failure  definitions.  Functional  descriptions  should  be 
developed  for  each  mission,  mission  phase,  mission  times,  operational  modes  and 
primary  and  secondary  mission  objectives.  These  descriptions  should  describe  the 
service  use  profile,  equipment  utilization,  expected  mission  time,  function  and 
output  of  each  item.  Conditions  which  constitute  system  failure  and  part  failure 
should  also  be  determined. 

The  system  indenture  levels  must  be  identified  to  complete  the  FMECA.  Figure 
8  depicts  typical  system  indenture  levels.  Both  functional  and  hardware  FMECA 
methods  apply  to  this  example.  However,  the  hardware  approach  is  more  applicable 
to  lower  system  levels  while  the  functional  approach  is  more  applicable  at  higher 
system  levels. 
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FIGURE  7:  TYPICAL  FMECA  FLOW 
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FIGURE  8:  TYPICAL  INDENTURE  LEVELS 
5.3  Ground  Rules  and  Assumptions 

To  help  the  reader  understand  FMECA  results,  the  analyst  must  clearly 
document  the  ground  rules  and/or  assumptions  made  when  performing  each  part 
of  the  analysis.  The  ground  rules  generally  apply  to  the  system /equipment,  it’s 
environment,  mission  and  analysis  methods.  Ground  rules  require  customer 
approval  and  generally  include: 

•  The  mission  of  the  item  being  analyzed  ( Aircraft-Bombing  Run) 

•  The  phase  of  the  mission  the  analysis  will  consider  (Bomber-Takeoff) 

•  Operating  time  of  the  item  during  the  mission  phase  (Time  to  Takeoff) 

•  The  severity  categories  used  to  classify  the  effects  of  failure  (When  categories 
in  MIL-STD-1629  must  be  tailored) 

•  Derivation  of  failure  mode  distributions  (Vendor  Data,  Statistical  Studies, 
Analyst’s  judgment) 

•  Source  of  part  failure  rates  when  required  (NPRD,  MIL-HDBK-217,  Vendor 
Data) 

•  Fault  detection  concepts  and  methodologies.  (BIT,  Alarms,  Warnings) 
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Often,  a  FMECA  is  tailored  to  a  specific  product  or  type  of  customer.  Therefore, 
the  analysis  and  results  are  not  necessarily  in  accordance  with  MIL-STD-1629.  When 
the  analysis  deviates  from  the  standard  guidelines  each  deviation  must  be 
thoroughly  documented. 

5.4  Block  Diagrams 

A  functional  and  reliability  block  diagram  representing  the  operation, 
interrelationships  and  interdependencies  of  functional  entities  of  the  system  should 
be  constructed.  The  block  diagrams  provide  the  ability  to  trace  the  failure  mode 
effects  through  each  level  of  indenture.  The  block  diagrams  illustrate  the  functional 
flow  sequence  as  well  as  the  series  or  parallel  dependence  or  independence  of 
functions  and  operations. 

Each  input  and  output  of  an  item  should  be  shown  on  the  diagrams  and  labeled. 
A  uniform  numbering  system  which  is  developed  for  the  functional  system 
breakdown  order  is  essential  to  provide  traceability  thorough  each  level  of 
indenture.  Figures  9  and  10  depict  examples  of  functional  and  reliability  block 
diagrams  respectively. 

The  functional  block  diagram  shows  the  operation  and  interrelationships 
between  functional  parts  of  the  system  as  defined  by  the  schematic  drawings  and 
engineering  data.  The  functional  block  diagram  depicts  the  system  functional  flow, 
the  indenture  level  of  analysis  and  the  present  hardware  indenture  level.  This  type 
of  diagram  can  be  used  for  hardware  and  functional  FMEA's.  Additional 
information  on  the  construction  of  functional  block  diagrams  can  be  found  in  MIL- 
STD-24100  entitled  "Manual,  Technical;  Functionally  Oriented  Maintenance 
Manuals  for  Systems  and  Equipment". 

The  reliability  block  diagram  is  used  to  illustrate  the  relationship  of  all  the 
functions  of  a  system  or  functional  group.  Information  on  the  construction  of 
reliability  block  diagrams  may  be  found  in  to  MIL-STD-756  entitled  "Reliability 
Prediction." 
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LOCAL 

OSCILLATOR 

FIGURE  9:  EXAMPLE  OF  FUNCTIONAL  BLOCK  DIAGRAM 
(COMMUNICATION  RECEIVER) 
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UNIT  LEVEL 


PART  LEVEL 


FILTER 

44B 


FIGURE  l(h  EXAMPLE  OF  RELIABILITY  BLOCK  DIAGRAM  (AIR  COMPRESSOR) 
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5.5  Failure  Mode  Identification 

All  item  and  interface  failure  modes  must  be  identified  and  their  effect  upon  the 
immediate  function  or  item,  system  and  mission  must  be  determined.  The 
potential  failure  modes  are  determined  by  examining  item  outputs  and  functional 
outputs  identified  when  constructing  the  system  block  diagrams.  Item  failure  mode 
effects  are  based  on  and  should  be  consistent  with  the  definitions  of  failure 
developed  in  the  system  definition.  All  probable  independent  failure  modes  for 
each  item  should  be  identified.  To  assure  that  a  complete  analysis  has  been 
performed,  each  component  failure  mode  and/or  output  function  should  be 
examined  for  die  following  conditions: 

A)  Premature  operation 

B)  Failure  to  operate  at  the  proper  time 

Q  Intermittent  operation 

D)  Failure  to  stop  operating  at  the  proper  time 

E)  Loss  of  output 

F)  Degraded  output  or  reduced  operational  capability 

When  a  qualitative  CA  is  performed,  the  failure  mode  probability  of  occurrence 
level  must  be  determined  (from  analyst's  judgment).  The  failure  mode  probability 
of  occurrence  must  be  determined  for  the  quantitative  CA  (from  vendor  data, 
reliability  prediction,  etc.).  A  list  of  commonly  used  component  level  failure  mode 
distributions  is  presented  in  Appendix  A. 

5.6  Failure  Effects  Analysis 

A  failure  effects  analysis  is  performed  on  each  item  of  the  reliability  block 
diagram.  The  consequence  of  each  failure  mode  on  item  operation,  and  the  next 
higher  levels  in  the  block  diagram  should  be  identified  and  recorded.  The  failure 
under  consideration  may  affect  several  indenture  levels  in  addition  to  the 
indenture  level  under  analysis.  Therefore,  local,  next  higher  and  end  effects  are 
analyzed.  Failure  effects  must  also  consider  the  mission  objectives,  maintenance 
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requirements  and  system/personnel  safety.  Failure  effect  levels  are  defined  as 
follows: 

Local:  Effects  that  result  specifically  from  the  failure  mode  of  the  item  in  the 
indenture  level  under  consideration.  Local  effects  are  described  to  provide  a 
basis  for  evaluating  compensating  provisions  and  recommending  corrective 
actions.  The  local  effect  can  be  the  failure  mode  itself. 

Next  Higher  Level:  Effects  which  concentrate  on  the  effect  a  particular  failure 
mode  has  on  the  operation  and  function  of  items  in  the  next  higher  indenture 
level. 

End:  Effect  of  the  assumed  failure  on  the  operation,  function  and/or  status  of 
the  system. 


The  end  or  system  level  effects  of  item  failures  generally  fall  within  one  of  the 
following  categories: 

A)  System  failure:  the  failed  item  has  a  catastrophic  effect  on  the  operation  of 
the  system. 

8)  Degraded  operation:  the  failed  item  has  an  effect  on  the  operation  of  the 
system  but  the  system's  mission  can  still  be  accomplished. 

Q  System  status  failure:  the  failed  item  causes  the  operator  to  lose  the  true 
status  of  the  system  or  equipment. 

D)  No  immediate  effect:  the  failed  item  causes  no  immediate  effects  on  the 
system  operation. 


Should  end  effects  of  item  failure  not  fall  within  one  of  the  categories  above,  the 
analyst  must  tailor  these  categories  as  needed. 

Failures  at  the  system  level  are  those  failures  which  hinder  the  performance  or 
actual  completion  of  the  specified  mission.  An  example  of  failures  at  each 
indenture  level  would  be  defined  as: 

Major  System:  An  example  is  a  bomber  aircraft.  A  failure  at  the  major  system 
level  would  be  defined  as  the  inability  of  the  aircraft  to  deliver  its  bombs  to  a 
specific  target. 
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System:  An  example  is  the  weapons  control  system  onboard  the  aircraft.  A 
failure  at  the  system  level  could  be  defined  as  the  inability  of  the  aircraft  to 
identify  the  target  during  an  active  mission. 

Subsystem:  An  example  is  an  electronic  countermeasures  pod  onboard  an 
aircraft  whose  mission  is  to  counter  enemy  radar  threats.  A  failure  at  the 
subsystem  level  could  be  defined  as  the  inability  of  the  pod  to  handle  mission 
specific  threats. 

Unit:  An  example  is  the  power  output  amplifier  in  the  transmitter  of  an  aircraft 
radar  system.  A  failure  at  the  unit  level  could  be  defined  as  the  inability  of  the 
power  output  amplifier  to  amplify  and  pass  the  transmitter  carrier  signal  to  the 
radar  antenna. 

Fart:  An  example  is  a  power  transistor  in  the  power  output  amplifier  in  the 
transmitter  of  an  onboard  aircraft  radar  system.  A  failure  at  the  part  level  could 
be  defined  as  the  inability  of  the  transistor  to  amplify  and  pass  the  carrier  signal 
through  the  power  amplifier  output. 

5.7  Severity  Classification 

Each  item  failure  mode  is  evaluated  in  terms  of  the  worst  potential 
consequences  upon  the  system  level  which  may  result  from  item  failure.  A  severity 
classification  must  be  assigned  to  each  system  level  effect.  Severity  classifications 
provide  a  qualitative  measure  of  the  worst  potential  consequences  resulting  from  an 
item  failure.  A  severity  classification  is  assigned  to  each  identified  failure  mode  and 
each  item  analyzed  in  accordance  with  the  following  categories. 

A)  Category  I  -  Catastrophic:  A  failure  which  may  cause  death  or  weapon 
system  loss  (i.e.,  aircraft,  tank,  missile,  ship,  etc.) 

B)  Category  II  -  Critical:  A  failure  which  may  cause  severe  injury,  major 
property  damage,  or  major  system  damage  which  will  result  in  mission  loss. 

Q  Category  III  -  Marginal:  A  failure  which  may  cause  minor  injury,  minor 
property  damage,  or  minor  system  damage  which  will  result  in  delay  or  loss 
of  availability  or  mission  degradation. 

D)  Category  IV  -  Minor  A  failure  not  serious  enough  to  cause  injury,  property 
damage  or  system  damage,  but  which  will  result  in  unscheduled 
maintenance  or  repair. 
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These  categories  have  been  developed  in  MIL-STD-882  entitled  "System  Safety 
Program  Requirements”.  It  may  not  be  possible  to  categorize  an  item  or  failure 
mode  according  to  the  four  categories  listed.  Loss  statements  can  be  developed  to 
account  for  the  results  of  item  failure.  These  modified  classifications  should  be 
approved  by  the  procuring  activity  and  included  in  the  FMECA  ground  rules.  For 
example,  consider  a  home  furnace  controller  containing  printed  circuit  cards. 
Customized  severity  classifications  might  be  as  follows: 

A)  Category  I:  Loss  of  furnace  or  structure 

B)  Category  II:  Major  damage  to  printed  circuit  board  or  external  devices  as  a 
result  of  a  board  failure,  system  disabled 

Q  Category  III:  Minor  damage  to  printed  circuit  board  or  external  devices  as  a 
result  of  a  board  failure,  system  degraded 

D)  Category  IV:  Insignificant  failure,  but  maintenance  or  repair  required 
5.8  Failure  Detection  Methods 

The  FMECA  identifies  the  methods  by  which  occurrence  of  a  failure  is  detected 
by  the  system  operator.  Visual  or  audible  warning  devices  and  automatic  sensing 
devices  are  examples  of  failure  detection  means.  Any  other  indications  which  serve 
as  evidence  to  the  system  operator  that  a  system  has  failed  should  be  identified.  If 
no  indication  exists,  it  is  important  to  determine  if  the  failure  will  jeopardize  the 
system  mission  or  safety.  MIL-STD-1629  states  if  no  indication  exists,  the  analysis 
must  determine  whether  or  not  the  undetected  failure  will  jeopardize  the  mission 
objectives  or  personnel  safety,  and  if  the  undetected  failure  allows  the  item  to 
remain  operational  in  a  safe  state,  a  second  failure  situation  shall  be  explored  to 
determine  whether  or  not  an  indication  will  be  evident  to  the  operator  or 
maintenance  technician.  Indications  to  the  operator  can  be  described  as: 

Normal:  An  indication  to  the  operator  indicating  the  system  is  operating 

normally. 

Abnormal:  An  indication  to  the  operator  that  the  system  has  malfunctioned  or 

failed. 
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Incorrect:  An  erroneous  indication  to  the  operator  that  a  malfunction  has 

occurred  when  there  is  no  fault  or  an  indication  that  the  system  is  operating 

normally  when,  in  fact,  there  is  a  failure. 

5.8.1  Failure  Isolation  Methods 

Once  a  failure  is  detected,  it  must  be  isolated.  The  failure  isolation  method 
describes  the  most  direct  approach  that  allows  the  operator  to  identify  and  locate  the 
failure.  When  an  item  fails,  the  operator  can  only  see  initial  failure  symptoms  until 
further  action  is  taken.  Such  action  can  be  a  detailed  built-in-test  (BIT)  or 
troubleshooting  flow.  Fault  isolation  requires  an  action  or  series  of  actions  by  the 
operator,  in  an  attempt  to  zero-in  on  the  root  failure  cause.  Use  of  technical  orders, 
maintenance  manuals  or  automated  test  software  can  be  used  to  accomplish  this. 
Automatic  built-in-test-equipment  (BITE)  can  often  detect  and  isolate  failures 
concurrently  to  various  ambiguity  levels. 

5.8.2  Compensating  Provisions 

Compensating  provisions  are  design  characteristics  or  operator  actions  which 
can  circumvent  or  reduce  the  effects  of  item  failure.  Any  compensating  provision 
built  into  a  system  that  can  nullify  the  effects  of  a  malfunction  or  failure  or 
deactivate  or  activate  circuitry  to  halt  or  negate  the  effects  of  a  failure  must  be 
identified.  Design  compensating  provisions  include: 

A)  Redundant  items  that  allow  continued  and  safe  operation. 

B)  Safety  devices  such  as  monitors  or  alarm  systems  that  permit  effective 
operation  or  limit  damage. 

Q  Alternative  means  of  operation  such  as  backup  or  standby  items  or  systems. 

All  compensating  provisions  that  require  operator  action  to  reduce  or  negate  the 
effects  of  a  failure  should  also  be  identified  and  recorded.  When  multiple 
compensating  provisions  exist,  the  compensating  provision  which  best  satisfies  the 
fault  indication  observed  by  the  operator  must  be  highlighted.  The  consequences  of 
the  operator  taking  the  wrong  action  in  response  to  an  abnormal  indication  should 
be  considered  and  the  effects  of  this  action  should  be  recorded  in  the  remarks 
column  of  the  worksheet. 
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5.9  Criticality  Ranking 

When  failure  modes  are  analyzed  in  terms  of  probability  of  occurrence,  failure 
probability  levels  must  be  listed  (qualitative  analysis).  When  failure  rate  data  is 
used  to  calculate  criticality  numbers  (quantitative  analysis)  the  data  source  for 
failure  rates  must  be  listed  (i.e.,  MIL-HDBK-217,  NPRD-91,  etc.)  along  with  the 
failure  rate.  To  successfully  complete  the  FMECA,  it  is  necessary  to  determine  both 
the  failure  mode  criticality  (Cm)  of  each  failure  mode  and  the  criticality  of  each 
item.  The  failure  mode  criticality  is  derived  based  on  the  methodologies  described 
in  Section  4.2  of  this  document  The  criticality  of  each  item  (Cr)  is  the  sum  of  the 
item's  individual  failure  mode  criticality  numbers  having  the  same  severity 
classifK'*ion.  For  this  example,  both  failure  modes  result  in  level  m  severities 
(refer  h  Section  4.9).  A  ranking  can  be  developed  to  help  determine  item  failures 
critical  to  mission  or  system  safety.  The  following  examples  illustrate  the 
calculation  of  item  criticality  and  failure  mode  criticality. 

Failure  Mode  Criticality: 

Component  type:  Carbon  Film  Resistor 

Part  Number:  R14 


Failure  Rate  (Xp):  .25673  failures  per  million  hours 

Failure  Effect  Probability  (a):  Open  (.75) 

Short  (.25) 

Time  (t):  1  hour 

Failure  Mode  Probability  (J3):  1 

Failure  Mode  Criticality  (Cm): 

Cm  =  p  o.  Xp  t 

Cm  (open)  =  (1  x  .75  x  .25673  x  1) 

Cm  (open)  =  .192548  x  KT6 

Cm  (short)  =  (1  x  .25  x  .25673  x  1) 

Cm  (short)  =  .064183 
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Item  Criticality: 

Component  type:  Carbon  Film  Resistor 
Part  Number:  R14 

Failure  Rate  (Xp):  .25673  failures  per  million  hours 

Failure  Effect  Probability  (a):  Open  (.75) 

Short  (.25) 

Time  (t):  1  hour 

Failure  Mode  Probability  (p):  1 

Item  Criticality  (Cr): 

j  j 

Cr  =  I  (flaXptln  N  =  l,2,3,...j  or  Cr  =  £  <cm)n 
n=l  n=l 

Cr  =  (1  x  .75  x  .25673  x  1)  +  (1  x  .25  x  .25673  x  1) 

Cr  =  .25673 


5.10  Critical  Item/Failure  Mode  List 

The  purpose  of  the  critical  item  list  is  to  rank  the  effects  of  each  item  failure 
with  respect  to  severity  of  the  failure  effect  and  probability  of  the  failure  occurrence. 
The  most  critical  failure  modes  are  those  modes  with  high  criticality  and  high 
severity  of  end  effect.  The  critical  item/failure  mode  list  will  aid  in  safety  and  fault 
tree  analysis,  thereby  enabling  improvements  in  the  design. 

5.11  Recommendations 

At  the  conclusion  of  the  FMECA,  critical  items/failure  modes  are  identified  and 
corrective  action  recommendations  made.  Typical  recommendations  call  for  design 
modifications  such  as;  the  use  of  higher  quality  components,  higher  rated 
components,  design  redundancy  or  compensating  provisions. 
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Recommendations  cited  must  be  fed  back  into  the  design  process  as  early  as 
possible  in  order  to  minimize  iterations  of  the  design.  The  FMECA  is  most  effective 
when  exercised  in  a  proactive  manner  to  drive  design  decisions,  rather  than  to 
respond  after  the  fact.  In  this  context,  the  analyst  is  cautioned  not  to  get  so  absorbed 
in  the  details  of  the  FMECA  that  proactive  opportunities  to  improve  the  design  are 
over-looked.  A  reactive  FMECA  may  satisfy  a  data  item  requirement,  but  may  cause 
an  unnecessary  drain  on  resources,  or  a  negative  impact  on  cost  and  schedule  if 
recommendations  come  late. 


Reliability  Analysis  Center  (RAO  •  201  Mill  Street  •  Rome,  NY  134404916  •  (315)  337-0900 


CRTA-FMECA 


49 


6.0  MAINTAINABILITY/DAMAGE  MODE  ANALYSIS 

6.1  Maintainability  Information 

The  Maintainability  Analysis  supplies  early  criteria  for  maintenance  planning 
analysis,  logistic  support  analysis  (LSA),  test  planning,  and  helps  identify 
maintainability  design  features  that  require  corrective  action. 

The  Maintainability  Analysis  is  used  to  determine  and  influence  the  level  of 
Built-in-Test  (BIT)  and  fault  detection  provided  by  the  system.  Information  on 
faults  that  are  detectable  and  isolatable  is  used  as  an  input  to  system  testability 
analysis  and  maintainability  prediction. 

The  Maintainability  Analysis  requires  data  from  the  FMEA.  Therefore,  the 
Maintainability  Analysis  cannot  be  completed  before  the  FMEA  is  completed. 

Documentation  of  the  Maintainability  Analysis  is  accomplished  by  completing  a 
Maintainability  Information  Worksheet.  An  example  of  a  maintainability 
information  worksheet  is  given  in  Figure  11.  Information  required  for  the 
Maintainability  Analysis  extracted  from  the  FMEA  is: 

A.  Item  Identification  Number  (identical  to  FMEA,  for  traceability) 

B.  Item  Nomenclature 

G  Function 

D.  Functional  Failure  (Failure  Mode  from  FMEA) 

E  Engineering  Failure  Mode  (Failure  Causes  from  FMEA) 

F.  Failure  Effects  (Local,  Next  Higher,  End) 

G.  Severity  Class 

H.  Mission  Phase 

I.  Compensating  Provisions 

J.  Failure  Detection  Method 

When  recording  functional  failures,  each  functional  failure  should  be  lettered 
alphabetically  on  the  maintainability  analysis  worksheet.  Each  functional  failure 
may  have  multiple  hardware  failure  modes.  Therefore,  each  hardware  failure 
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FIGURE  11:  MAINTAINABILITY  INFORMATION  WORKSHEET  (TASK  103) 
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mode  should  be  numbered  beginning  with  "1"  and  placed  on  the  maintainability 
analysis  worksheet. 

In  addition  to  the  information  derived  from  the  FMEA,  minimum  equipment 
list,  and  Engineering  Failure  Mode  MTBF  information  must  be  obtained. 

The  Minimum  Equipment  list  determines  whether  the  equipment  end  item  can 
be  dispatched  on  its  assigned  mission  with  the  particular  item  under  analysis  being 
inoperative. 

The  Engineering  Failure  Mode  MTBF  is  determined  by  calculating  the  MTBF  for 
each  hardware  failure  mode  or  (cause)  developed  from  the  FMEA. 

6.2  Damage  Mode  and  Effect  Analysis 

The  Damage  Mode  and  Effects  Analysis  (DMEA)  is  used  to  provide  survivability 
and  vulnerability  assessments.  The  DMEA  expands  the  FMEA  to  include  data 
required  for  vulnerability  assessments.  This  type  of  analysis  is  primarily  applicable 
to  new  weapon  system  acquisitions.  However,  the  DMEA  can  be  expanded  to 
include  existing  weapon  systems  where  data  is  required  to  provide  criteria  for 
survivability. 

Documentation  of  the  DMEA  is  accomplished  by  completing  a  customer- 
approved  DMEA  worksheet. 

The  DMEA,  like  the  maintainability  analysis,  requires  data  from  the  FMEA. 
Therefore,  the  Damage  Mode  and  Effects  Analysis  cannot  be  completed  before  the 
FMEA  is  completed. 

Information  required  for  the  DMEA  extracted  from  the  FMEA  is: 

A.  Item  Identification  Number 

B.  Item  nomenclature 

C  Function 

D.  Failure  Modes  and  Causes 

E.  Mission  phase /operation 

F.  Severity  Class 
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In  addition  to  the  information  derived  from  the  FMEA,  all  possible  damage 
modes  which  could  result  from  exposure  to  the  specified  threat  mechanism(s)  must 
be  determined  by  analyzing  each  subsystem,  component  or  part. 

The  consequences  of  each  assumed  damage  mode  on  item  operation,  function 
and  status  must  be  identified.  Since  the  damage  mode  under  consideration  can 
affect  several  indenture  levels,  the  analysis  is  carried  out  for  local,  next  higher  level 
and  end  effects.  An  example  of  an  approved  DMEA  worksheet  is  given  in  Figure  12. 
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FIGURE  12:  DMEA  WORKSHEET  (TASK  104) 
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7.0  FMECA  REPORT 

The  FMECA  report  documents  the  level  of  analytical  detail,  summarizes  results 
and  identifies  data  sources  and  techniques  used  in  performing  the  analysis.  The 
FMECA  report  must  include  a  description  of  the  system,  resultant  analysis  data, 
assumptions  and  the  required  task  worksheets.  The  worksheets  are  to  be  organized 
such  that  the  highest  indenture  level  of  the  system  is  displayed  first.  The  report 
should  also  be  organized  by  system  or  assembly  indenture  levels  or  by  logical 
functions  for  a  functional  FMECA. 

Ground  rules  and  assumptions  are  to  be  clearly  documented.  The  report  must 
describe  and  explain  all  steps  involved  in  the  FMECA  process.  These  include  the 
system  definition,  analysis  type,  severity  classifications,  methods  for  determining 
and  using  a  and  fi,  part  failure  rate  data,  and  data  sources.  The  report  must  explain 
what  the  analysis  is,  its  uses,  its  benefits  and  any  shortcomings.  A  synopsis  of  how 
to  read  each  section  of  the  report  should  also  be  included.  Block  diagrams  for  each 
indenture  level  should  be  included  when  applicable.  All  failure  modes  that  result 
in  category  I  or  H  severities  should  be  separately  listed.  All  mission  critical  items 
must  be  identified  and  highlighted. 

The  FMECA  report  will  contain  a  system  summary,  as  well  as  conclusions  and 
recommendations  based  upon  the  analysis.  The  summary  section  includes  a 
complete  design  evaluation,  a  list  of  any  critical  design  deficiencies,  and  rationale  for 
excluding  items  from  the  FMECA.  Recommendations  for  eliminating  or  reducing 
the  risks  associated  with  each  component  failure  must  be  documented.  Corrective 
actions  will  be  identified  to  resolve  documented  recommendations. 

7.1  FMECA  Review 

When  reviewing  an  FMECA  report,  it  is  important  to  be  able  to  identify 
weaknesses  in  the  analysis  and  documentation.  Some  common  errors  frequently 
seen  by  RAC  engineers  in  FMECA  reports  include: 

•  No  defined  failure  causes  listed 

•  Incorrect  failure  classification 

•  Failure  rate  data  sources  not  listed  or  included 
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•  Lack  of  recommendations /corrective  actions 

•  Incorrect  system  description  or  definition 

•  No  ground  rules  or  assumptions  stated 

•  No  block  diagrams,  where  applicable 

•  Incorrect  approach  used  for  analysis 

•  Failure  mode  data  sources  not  listed 

•  No  worksheets  provided 

•  Reckless,  improper  or  no  severity  classifications  provided 

•  Results  not  clearly  summarized 

•  Beta  used  incorrectly 

•  No  apportion  of  multiple  device  packages 

•  Mission  time  not  used  or  listed 

•  Narrow  scope  of  analysis 

The  FMECA,  if  performed  properly,  is  a  stand-alone  document  with  many 
applications.  Often,  external  organizations  with  little  actual  knowledge  of  the 
system,  assist  a  program  office  in  analyzing  data  items.  These  organizations  depend 
heavily  on  the  stand-alone  attributes  of  the  FMECA.  Additionally,  the  FMECA 
provides  valuable  training  and  troubleshooting  in-sight  to  technical  staff  learning 
the  operation  and  function  of  that  system.  These  reasons  further  warrant  that  a 
conscientious  effort  be  placed  on  carefully  documenting  and  performing  the 
FMECA. 
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8.0  FMECA  EXAMPLES 

The  following  examples  illustrate  the  most  widely  used  methods  for  performing 
a  FMECA  on  equipment/systems. 

8.1  FMECA  Example  -  Qualitative  Approach 

The  communication  receiver  depicted  in  Figure  13  will  be  used  to  illustrate  the 
functional  FMECA.  This  example  is  intended  to  give  the  design/reliability  engineer 
ideas  on  how  to  approach  different  types  of  designs.  Methods  similar  to  the  one  that 
follows  can  be  used  or  combined  with  other  analysis  techniques  to  analyze  more 
complex  systems. 


FIGURE  13:  COMMUNICATION  RECEIVER 


8.1.1  System  Definition 

To  start  the  functional  FMECA,  the  analyst  must  clearly  define  the  system.  In 
this  example,  the  communication  receiver  exists  in  an  aircraft,  and  is  used  to  receive 
messages  transmitted  from  an  airport  control  tower.  The  receiver  is  constantly 
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monitored  by  Built-In-Test-Equipment  (BITE)  to  detect  certain  failures  and  alert  the 
pilot  by  means  of  an  audible  alarm. 


The  system  indenture  levels  are  defined  as: 

Communication  System  (Major  System) 

Receiver  (System) 

Antenna  (Function) 


The  "Major  System"  is  defined  as  the  complete  communication  system  between 
the  tower  and  the  aircraft  (Receiver  &  Transmitter).  This  sample  analysis  will 
concentrate  on  the  receiver  design  and  the  effects  of  functional  failure  upon  the 
entire  communication  system  (Major  System).  It  should  be  noted  that  the  "Major 
System"  could  have  been  defined  as  the  Receiver  itself  (instead  of  the  entire 
Communication  System).  In  this  case,  the  effects  of  functional  failure  would  be 
propogated  to  the  receiver  level,  not  the  entire  communication  system.  The 
definition  of  the  communication  receiver  includes  the  identification  of  each 
internal  connection,  interface  connection  and  indenture  levels. 

Using  the  diagram  in  Figure  13,  the  following  functional  definitions  are  given 
to  each  element  in  the  diagram. 


Antenna 
RF  Amplifier 
Local  Oscillator 
Mixer 

IF  Amplifier 
Detector 

Audio  Amplifier 
Speaker 


Responsible  for  conducting  the  transmitted  signal  and  passing 
it  to  the  RF  amplifier  stage. 

Responsible  for  receiving,  amplifying  and  delivering  the 
incoming  signal  to  the  mixer  stage  of  the  design. 

Responsible  for  providing  a  constant  frequency  sine  wave  to 
the  RF  amplifier  and  mixer. 

Responsible  for  mixing  the  incoming  signal  with  the  local 
oscillator  signal  to  produce  a  signal  with  a  constant  carrier 
frequency. 

Responsible  for  amplification  of  the  intermediate  frequency 
signal  produced  by  the  mixer. 

Responsible  for  extracting  the  "intelligence"  signal  from  the 
radio  signal. 

Responsible  for  amplifying  the  "intelligence"  signal  to  drive 
the  speaker. 

Responsible  for  transducing  the  electrical  "intelligence"  signal 
into  an  audible  signal. 
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The  mission  phase  is  defined  as  the  process  of  receiving  an  incoming 
communication  transmission.  The  primary  mission  objective  is  to  accurately 
receive  a  transmission  signal,  decode  the  signal  and  allow  the  user  to  detect  the 
signal  in  audible  form.  The  primary  function  of  the  receiver  is  to  receive  and 
decode  messages  between  the  control  tower  and  the  aircraft  pilot.  The  mission  may 
be  accomplished  during  takeoff,  normal  flight,  and  landing. 

8.1.2  Ground  Rules  and  Assumptions 


The  analysis  ground  rules  and  assumptions  must  be  developed  next.  This 
analysis  will  be  a  functional  FMECA  performed  in  accordance  with  MIL-STD- 1 629 A, 
Tasks  101  and  102,  on  the  receiver  design.  Since  the  design  is  in  conceptual 
development,  a  Task  103  maintainability  information  worksheet  will  not  be 
developed  at  this  time.  All  failure  effects  will  be  evaluated  based  on  severity 
classifications  developed  by  the  analyst  and  approved  by  the  customer.  System  and 
part  failures  will  be  categorized  as  such: 

Classification  I  -  System  Failure  -  Complete  loss  of  communication  reception 
from  control  tower 

Classification  II  -  Degraded  Operation  -  Communication  reception  degraded  or 
intermittent 

Classification  III  -  Status  Failure  -  Inability  to  report  to  the  operator  the  correct 
state  of  the  receiver 

Classification  IV  -  No  Effect  -  No  effect  on  communication  reception,  but 
unscheduled  maintenance  must  be  performed. 

All  failure  modes  will  be  derived  from  FMD-91  (a  RAC  publication),  historical 
system  data  and  analytical  judgment  of  relevant  potential  failure  modes.  Only  the 
most  likely  failure  modes  will  be  considered.  Less  likely  failure  modes  may  occur, 
but  analysis  of  each  could  increase  cost  and  impact  schedule  without  having  a 
substantial  impact  on  the  results.  Built-in-test-equipment  (BITE)  monitors  the 
system.  Detection  of  a  failure  is  announced  immediately  by  means  of  an  audible 
alarm. 
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A  qualitative  approach  to  criticality  analysis  will  be  used.  Probability  of 
occurrence  level  is  defined  as: 

A)  Level  A  -  Frequent:  A  high  probability  of  occurrence  during  the  item 
operating  time  interval.  High  probability  will  be  defined  as  a  single  failure 
mode  probability  greater  than  .20  of  the  overall  probability  of  failure  during 
the  item  operating  time  interval. 

B)  Level  B  -  Reasonably  Probable:  A  moderate  probability  of  occurrence  during 
the  item  operating  time  interval.  Probability  will  be  defined  as  a  single 
failure  mode  probability  of  occurrence  which  is  more  than  .10  but  less  than 
.20  of  the  overall  probability  of  failure  during  the  item  operating  time 
interval. 

Q  Level  C  -  Occasional:  An  occasional  probability  of  occurrence  during  the 
item  operating  time  interval.  Occasional  probability  will  be  defined  as  a 
single  failure  mode  probability  of  occurrence  which  is  more  than  .01  but  less 
than  .10  of  the  overall  probability  of  failure  during  the  item  operating  time 
interval. 

D)  Level  D  -  Remote:  An  unlikely  probability  of  occurrence  during  the  item 
operating  time  interval.  Remote  probability  will  be  defined  as  a  single 
failure  mode  probability  of  occurrence  which  is  more  than  .001  but  less  than 
.01  of  the  overall  probability  of  failure  during  the  item  operating  time 
interval. 

E)  Level  E  -  Extremely  Unlikely:  A  failure  whose  probability  of  occurrence  is 
essentially  zero  during  the  operating  time  interval.  Extremely  unlikely 
probability  will  be  defined  as  a  single  failure  mode  probability  of  occurrence 
which  is  less  than  .001  of  the  overall  probability  of  failure  during  the  item 
operating  time  interval. 

8.1.3  FMEA 


Figure  14  shows  an  example  form  of  the  MIL-STD-1629A,  Task  101  FMEA 
worksheet.  Each  of  the  columns  in  this  figure  contain  a  letter  referencing 
proceeding  paragraphs  which  discuss  the  information  required  in  that  column. 
Figure  15  shows  the  completed  Task  101  worksheets  for  the  communication  receiver 
example. 

A)  Identification  Number:  A  unique  number  given  to  each  entry  on  the  FMEA 
worksheet  used  for  record  keeping  purposes.  For  example,  the  receiver  has 
been  labeled  with  identification  numbers,  001, 002,  003,  etc... 
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FIGURE  15:  FMEA  WORKSHEET  (RECEIVER  EXAMPLE) 
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B)  Item/Functional  Identification:  A  term  identifying  either  the  item  or 
functional  block  of  the  design  under  consideration.  For  the  receiver 
example.  Antenna  Output,  RF  Amplifier  Output,  etc.  are  listed  as  functional 
components  of  the  receiver. 

Q  Function:  A  concise  statement  regarding  the  item's  function.  For  example, 
the  function  of  the  Antenna  Output  is  to  conduct  the  transmitted  signal. 

D)  Failure  Mode  and  Causes:  A  concise  statement  on  the  ways  in  which  an 
item  can  fail.  In  the  case  of  the  Antenna  Output  function,  the  failure  modes 
are  No  Reception,  Signal  Leakage,  and  Spurious  Reception. 

E)  Mission  Phase/Operational  Mode:  A  statement  identifying  the  objective  or 
task  of  the  item  being  analyzed.  The  mode  of  operation  for  the  items  within 
the  communication  system  is  reception. 


The  failure  effects  analysis  is  completed  by  propagating  the  effects  of  a  single 
point  failure  throughout  the  various  system  levels.  The  columns  labeled  Local 
Effects,  Next  Higher  Level  and  End  Effects  house  this  information. 

F)  Local  Effects:  An  explanation  of  the  immediate  resultant  effect  from  the 
occurrence  of  the  identified  failure  mode.  The  first  failure  mode  addressed 
in  the  example  is  the  antenna  failing  to  receive  the  incoming  signal  (No 
Reception).  The  "local  level"  is  defined  as  the  antenna.  The  failure  effect  at 
this  level  is  listed  as  the  "Antenna  cannot  receive  the  incoming 
transmissions". 

G)  Next  Higher  Level:  An  explanation  of  the  effect  of  the  local  failure  on  the 
next  higher  system  indenture  level.  In  this  case,  the  "next  higher  level"  is 
defined  as  the  Receiver.  The  effect  of  the  antenna  not  receiving  incoming 
transmissions  causes  an  effect  of  "Loss  of  signal  to  the  receiver". 

H)  End  Effects:  An  explanation  of  the  effects  of  the  indicated  failure  mode  on 
the  system.  A  loss  of  signal  to  the  receiver  will  have  an  effect  on  the  entire 
communication  system.  This  effect  is  presented  in  the  "End  effects" 
column.  The  "system"  has  been  defined  as  the  entire  communication 
system.  A  loss  of  signal  to  the  receiver  will  disable  the  communication 
system  and  cause  a  loss  of  communication  between  the  control  tower  and 
the  pilot. 

I)  Failure  Detection  Method:  An  explanation  of  the  means  by  which  a  failure 
can  be  identified.  The  Built-In-Test-Equipment  (BITE)  is  designed  to  detect  a 
failure  of  the  antenna.  The  BITE  will  sound  an  audible  alarm  upon  the 
occurrence  of  this  failure.  The  failure  will  be  detected  by  the  operator. 
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P  Compensating  Provisions:  An  explanation  of  the  provisions  made/  within 
the  design,  to  negate  the  effects  of  this  type  of  failure.  This  design  does  not 
provide  compensating  provisions  for  this  type  of  failure  (Antenna  Failure). 
Therefore,  the  word  "None"  is  placed  in  the  Compensating  Provisions 
Column  of  the  worksheet. 

K)  Severity  Class:  A  numerical  representation  of  the  degree  of  damage  or 
injury  that  will  be  caused  by  the  occurrence  of  the  failure  mode.  The  failure 
effect  of  the  antenna  would  be  classified  as  a  Category  I  severity  -  A  failure 
that  causes  the  complete  loss  of  communication  between  the  aircraft  and  the 
control  tower. 

L)  Remarks:  A  concise  statement  of  related  details  concerning  the  evaluation 
of  the  given  failure  mode  that  could  not  be  contained  within  the  other  Task 
101  fields. 

This  analysis  is  performed  on  each  functional  block  of  the  Receiver  system  for 
each  potential  failure  mode  of  that  block. 

8.1.4  Criticality  Analysis 


Figure  16  shows  a  sample  form  of  the  Task  102  worksheets  as  referenced  by  MIL- 
STD-1629A.  Each  of  the  columns  contains  a  letter  referencing  the  fields  defined  in 
the  following  section.  Fields  that  are  carried  over  from  the  Task  101  forms  are 
referenced  with  the  same  letter  identified  in  the  previous  section.  The  explanations 
for  these  fields  are  not  repeated  in  this  section.  Figure  17  shows  the  completed  Task 
102  forms  for  the  communication  receiver. 

M)  Failure  Probability/Failure  Rate  Data  Source:  In  a  qualitative  analysis,  this 
column  is  used  to  indicate  a  ranking  of  the  probability  of  occurrence  of  an 
item's  failure  (i.e..  A,  B,  C,  etc.)  see  Section  8.1.2  for  actual  probability  of 
occurrence  levels.  In  a  quantitative  analysis,  this  column  is  used  to  indicate 
the  data  source  for  item  failure  rate  (i.e.,  MIL-HDBK-217). 

N)  Failure  Effect  Probability  <{3>:  A  numeric  value  representing  the  conditional 
probability  that  the  failure  effect  will  result  in  the  identified  criticality 
classification,  given  that  the  failure  mode  occurs.  This  factor  is  not 
applicable  to  a  qualitative  analysis. 
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FIGURE  16:  CA  WORKSHEET  (TASK  102) 
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O)  Failure  Mode  Ratio  (a):  This  is  the  probability/  expressed  as  a  decimal 
fraction,  that  the  given  part  or  item  will  fail  in  the  identified  mode.  This 
factor  is  not  applicable  to  a  qualitative  analysis. 

P)  Failure  Rate  (Xp):  A  numerical  representation  of  the  number  of  expected 
failures  for  a  given  item  over  a  specified  period  of  time.  This  may  be  a 
predicted  or  estimated  value  and  is  commonly  expressed  in  failures  per 
million  hours.  This  factor  is  not  applicable  to  a  qualitative  analysis. 

Q)  Operating  Time  (t):  The  total  operating  time  that  the  indicated  item  is 
expected  to  function  during  the  mission  scenario.  The  value  commonly 
used  is  the  total  life  cycle  time  of  the  equipment.  This  factor  is  not 
applicable  to  a  qualitative  analysis. 

R)  Failure  Mode  Criticality  (Cm):  A  relative  measure  of  consequence  of  a 
failure  mode  and  its  frequency  of  occurrence.  This  factor  is  not  applicable  to 
a  qualitative  analysis. 

S)  Item  Criticality  (Cr):  A  relative  measure  of  consequence  of  an  item  failure 
and  its  frequency  of  occurrence.  This  factor  is  not  applicable  to  a  qualitative 
analysis. 

T)  Remarks:  A  concise  statement  of  related  details  concerning  the  evaluation 
of  the  given  failure  mode  that  could  not  be  contained  within  the  other  Task 
102  fields. 


Figure  18  shows  a  sample  form  of  the  Task  103  worksheets  as  referenced  by  MIL- 
STTM629A.  Each  of  the  columns  contains  a  letter  referencing  the  fields  defined  in 
the  following  section.  Fields  that  are  carried  over  from  the  Task  101  forms  are 
referenced  with  the  same  letter  identified  in  the  previous  section.  The  explanations 
for  these  fields  are  not  repeated  in  this  section.  There  are  no  completed  Task  103 
forms  for  the  communication  receiver  since  a  maintainability  analysis  was  not 
performed.  An  example  of  the  Task  103  analysis  is  illustrated  in  the  next  example 
(quantitative  analysis). 

U)  Engineering  Failure  Mode:  Any  failure  causes  from  Task  101  Item  (D)  that 
relate  to  or  result  in  the  identified  functional  failure  mode.  There  may  be 
many  engineering  failure  modes  per  functional  failure. 

V)  Minimum  Equipment  List:  If  the  system  remains  deployable  with  the 
analysis  item  inoperative,  document  any  known  limitations  regarding 
system  performance  in  this  block. 
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FIGURE  18:  MAINTAINABILITY  INFORMATION  (TASK  103) 
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W)  Engineering  Failure  Mode  MTBF  &  Remarks:  The  mean/average  time 
between  occurrences  of  the  indicated  failure  mode  or  failure  causes.  Also 
include  a  concise  statement  of  related  details  concerning  the  evaluation  of 
the  given  failure  mode  that  could  not  be  contained  within  the  other  Task 
103  fields. 

8.1.5  Criticality  Matrix 

A  Criticality  ranking  of  each  functional  item  must  be  completed  to  determine 
the  most  critical  failure  modes  and  provide  a  basis  for  providing  design 
improvement  recommendations.  A  qualitative  criticality  matrix  for  the  aircraft 
receiver  is  shown  in  Figure  19.  Each  failure  mode  is  labeled  in  the  matrix  according 
to  its  identification  number.  From  this  matrix  it  is  evident  that  certain  failure 
modes  are  more  critical  than  others.  In  Figure  19,  the  most  mission  critical  failure 
mode  is  ID  #  001.  This  ID  number  corresponds  to  loss  of  output  signal  from  the 
antenna.  A  loss  of  the  output  signal  from  the  antenna  has  a  high  probability  of 
occurrence.  This  is  based  on  the  analyst's  judgment.  The  end  effect  of  this  failure 
mode  results  in  a  loss  of  communication  between  the  control  tower  and  the  pilot, 
which  is  a  hazardous  scenario.  Therefore,  the  end  effect  has  been  classified  a 
severity  level  of  I. 

8.1.6  Recommendations 

Recommendations  must  be  made  to  prevent  or  compensate  for  this  possible 
failure  mode.  One  recommendation  that  may  be  made  is  to  provide  a  redundant 
antenna  for  signal  reception.  Should  one  antenna  fail,  the  other  antenna  could  be 
used  to  compensate  for  the  loss  of  the  first  antenna.  Furthermore,  a  backup  means 
of  radio  communication  should  be  provided  to  the  pilot.  This  would  compensate 
for  this  failure  mode  and  other  failure  modes  that  cause  severity  II  end  effects. 

Failure  mode  016  is  ranked  as  the  second  most  critical  failure  mode.  This  failure 
mode  corresponds  to  the  local  oscillator  producing  an  incorrect  output.  A 
recommendation  must  be  developed  to  compensate  for  or  eliminate  the  possible 
occurrence  of  this  failure  mode.  Since  the  stability  of  the  local  oscillator  is  critical  to 
the  mission,  a  recommendation  should  be  made  requiring  the  use  of  high  quality 
parts  in  the  design  of  the  local  oscillator.  This  may  eliminate  or  reduce  local 
oscillator  drift.  Another  recommendation  may  be  to  perform  a  Worst  Case  Circuit 
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Antenna  Output 
Antenna  Output 
Antenna  Output 
RF  Amp.  Output 
RF  Amp.  Output 
RF  Amp.  Output 
Mixer  Output 
Mixer  Output 
IF  Amplifier  Output 
IF  Amplifier  Output 
IF  Amplifier  Output 
Detector  Output 
Detector  Output 
Detector  Output 
Local  Oscillator  Output 
Local  Oscillator  Output 
Local  Oscillator  Output 
Audio  Amplifier  Output 
Audio  Amplifier  Output 
Audio  Amplifier  Output 
Speaker  Output 


No  Reception 

Signal  Leakage 

Spurious  Reception 

No  Output 

Limited  Voltage  Gain 

Loss  of  RF  Tuning  Capability 

No  Output 

Incorrect  Output 

No  Output 

Limited  Voltage  Gain 

Loss  of  IF  Tuning  Capability 

No  Output 

Intermittent  Output 

Loss  of  FB  Signal 

No  Output 

Incorrect  Output 

Intermittent  Output 

No  Output 

Intermittent  Output 

Limited  Voltage  Gain 

No  Output 


FIGURE  19:  CRITICALITY  MATRIX  (FAILURE  MODES) 
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Analysis  on  the  local  oscillator  circuitry.  This  analysis  will  determine  effects  of 
aging,  temperature  and  other  environmental  conditions  on  the  local  oscillator 
circuitry  over  its  operational  lifetime. 

8.2  FMECA  Example  -  Quantitative  Approach 

The  following  is  an  example  of  a  quantitative  approach  to  FMECA.  The 
example  shown  is  a  FMECA  of  the  5VDC  Regulator  displayed  in  Figure  20.  This 
regulator  serves  as  the  regulated  power  supply  for  a  security  system.  The  structure 
of  the  security  system  will  be  kept  simple  for  example  purposes  and  only  the  5VDC 
regulator  sub-system  will  be  detailed.  The  system  structure  is  shown  here  for  the 
purpose  of  defining  next  higher  level  and  end  effects  of  component  failure  within 
the  5VDC  regulator.  The  steps  followed  in  this  example  will  adhere  to  the  FMECA 
analysis  process  detailed  in  Section  5.1. 


FIGURE  20:  SECURITY  SYSTEM  BLOCK  DIAGRAM 


8.2.1  System /Item  Indenture  Level  E?efinitions 

The  security  system  is  designed  as  a  simplified,  single-purpose  intrusion 
detection  system.  Its  function  is  to  set  up  an  invisible  beam  of  light  across  the 
entrance  of  any  room,  office,  store,  etc.  When  the  light  path  is  interrupted  the  alarm 
will  sound. 

Since  the  5VDC  regulator  circuit  is  being  studied  in  detail  in  this  example,  the 
schematic  diagram  for  this  unit  is  provided  in  Figure  21.  The  following  describes 
the  security  system's  major  subassemblies. 
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Laser  Diode 

Photodetector 

Alarm 

5VDC  Regulator 


Provides  the  signal  received  by  the  photodetector.  The 
frequency  is  above  the  visible  range  and  can  be  detected  only  by 
the  photodetector  circuitry. 

Receives  the  signal  transmitted  by  the  Laser  Diode.  When  the 
photodetector  is  triggered  by  the  incoming  light  signal  it  will 
deactivate  the  alarm.  If  the  incoming  signal  is  broken,  it  will 
cause  the  alarm  to  sound. 

A  5VDC  audio  alarm  used  to  give  indication  of  an  intrusion 
into  the  defined  zone. 

Provides  the  required  source  voltage  to  the  security  system. 
The  regulator's  power  requirement  is  a  30V AC  input.  Diode 
CR3  provides  iialf-wave  rectification  for  the  AC  signal.  R1 
provides  a  means  of  current  limiting  for  the  source.  Since  half¬ 
wave  rectification  produces  a  large  amount  of  ripple  in  the 
output  signal,  a  47|iF  capacitor  (Cll)  is  used  for  initial  filtering. 
The  series  regulator  circuit  is  constructed  from  R16,  C9,  R41, 
Ql,  and  CR10.  CR10  is  a  5.6VDC  zener  diode.  It  is  used  to  set¬ 
up  a  fixed  bias  voltage  input  to  the  base  of  Ql.  This  will  set  the 
regulator  output  voltage  to  5V  since  V  out  -  V2ener  -  Vj,e 

(5.0VDC  =  5.6VDC  -  0.6VDC).  Ql  is  used  as  an  emitter  follower 
to  pass  the  load  current.  R41  serves  as  protection  for  Ql  by 
limiting  the  maximum  allowable  load  current  so  as  not  to 
exceed  the  maximum  rating  of  Ql.  R16  provides  base  current 
limiting  and  current  limiting  for  CR10.  Since  the  voltage  at  the 
cathode  of  CR10  may  still  have  substantial  ripple,  C9  is  used  to 
filter  high  frequencies  and  smooth  the  biasing  signal  at  the  base 
of  Ql.  The  final  stage  of  the  circuit  has  two  capacitors  used  as 
output  filters.  CIO  is  a  .01  [iF  capacitor  used  to  filter  any  high 
frequency  noise  from  the  line.  Cl  5  is  a  3.3pF  capacitor  that  will 
filter  any  remaining  ripple  voltage.  The  circuit  output  is  a 
regulated  5VDC  used  to  power  the  Laser  Diode,  Photodetector, 
and  Alarm  circuitry. 
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The  mission  phase  is  defined  as  being  both  the  "scan"  and  "alert"  modes  of 
operation.  The  security  system  is  being  used  in  a  retail  store,  operating  12  hours  per 
day.  The  life  expectancy  for  the  system  is  10  years  or  43,800  operational  hours.  The 
primary  mission  objective  is  to  sound  the  alarm  as  a  result  of  intrusion.  All  end 
level  failure  effects  will  be  classified  according  to  their  severity  and  are  subject  to 
customer  approval.  These  classifications  are  given  as  follows: 


Category  I  (Catastrophic) 
(Loss  of  Alarm) 

Category  II  (Critical)  - 
(False  Alarm) 

Category  HI  (Marginal)  - 
(Degraded  Operation) 


Category  IV  (Minor)  - 
(No  Effect) 


8.2.2  System  Block  Diagram 


A  failure  that  would  cause  the  loss  of 
alarm  leaving  an  intrusion  undetected. 

A  failure  what  would  cause  a  false 
alarm. 

A  failure  that  would  cause  degraded 
operation  of  the  system,  but  system 
would  currently  remain  functional. 

A  failure  that  will  alter  system  operation 
so  slightly  that  it  will  cause  no 
noticeable  end  effect 


The  block  diagram  for  the  security  system  is  shown  in  Figure  20. 
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8.2.3  Ground  Rules  and  Assumptions 

The  FMECA  has  been  completed  by  utilizing  the  available  schematic  diagrams, 
part  data  sheets,  and  flowcharts  which  depict  the  unit  and  its  operation.  It  is 
assumed  that  all  available  system  options  are  selected.  The  FMECA  and 
corresponding  report  are  presented  in  a  bottom-up  approach.  It  will  be  done  in 
accordance  with  MIL-STD-1629A,  Notice  2,  Tasks  101, 102  and  103.  This  approach 
examines  each  component  failure  mode  individually  to  determine  its  effect  and 
criticality  at  the  functional  and  system  levels. 

The  system  is  assumed  to  be  operating  in  a  ground-fixed  environment  at  an 
operating  temperature  of  20°C. 

The  (p)  values  are  the  conditional  probability  that  the  failure  effect  will  result  in 
the  identified  criticality  classification,  given  that  the  failure  mode  occurs.  Since  the 
design  of  the  regulator  is  straightforward  in  terms  of  the  function  of  each 
component,  the  failure  of  each  component  produces  a  distinct  effect.  Since  there  are 
no  multiple  effects  associated  with  any  failure  mode,  a  (5  value  of  1  is  applicable  for 
each  Task  102  entry. 


For  the  purpose  of  this  example,  it  is  assumed  that  a  reliability  part  stress 
prediction  was  performed  on  all  of  the  components  within  the  5VDC  regulator 
circuitry  according  to  MIL-HDBK-217E,  Part  Stress  Method.  The  component  failure 
rates  from  this  analysis  are  as  follows: 
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8.2.4  Failure  Modes 

Failure  mode  information  for  each  component  type  is  presented  in  Table  2. 
These  values  were  derived  from  Failure  Mode/Mechanism  Distributions  (FMD-91), 
a  Reliability  Analysis  Center  publication. 


TABLE  It  PART  FAILURE  MODE  DISTRIBUTIONS 


Device  Type 

Failure  Mode 

Failure  Mode 
Probability  (a) 

Capacitor,  Ceramic 

Short 

.49 

Change  in  Value 

.29 

.22 

Capacitor,  Tantalum 

Short 

.57 

Open 

.32 

Change  in  Value 

.11 

Capacitor,  Tantalum, 

Short 

.69 

Electrolytic 

Open 

.17 

Change  in  Value 

.14 

Diode,  Rectifier 

Short 

.51 

Open 

.29 

Parameter  Change 

.20 

Diode,  Zener,  Voltage  Regulator 

Open 

.45 

Parameter  Change 

.35 

Short 

.20 

Resistor,  Fixed,  Film 

Open 

.59 

Parameter  Change 

.36 

Short 

.05 

Transistor,  Bipolar 

Short 

.73 

.27 

8.2.5  Failure  Effects /Causes  Analysis 

The  failure  effects/causes  analysis  is  completed  in  the  Task  101  worksheets  as 
referenced  in  MIL-STD-1629A.  Figure  22  details  the  Task  101  worksheets  for  the 
5VDC  regulator  circuit  as  part  of  the  security  system. 

8.2.6  Failure  Mode/Item  Criticality  Calculations 

The  failure  mode/item  criticality  calculations  are  presented  in  the  Task  102 
worksheets  as  referenced  in  MIL-STD-1629A.  Figure  23  details  the  Task  102 
worksheets  for  the  5VDC  regulator  circuit  as  part  of  the  security  system. 
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FIGURE  22:  FAILURE  MODE  AND  EFFECTS  ANALYSIS  (TASK  101)  (CONTD) 
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8.2.7  Maintainability  Information 

Maintainability  information  is  presented  in  the  Task  103  worksheets  as  referenced 
in  MIL-STD-1629A.  Figure  24  details  the  Task  103  worksheets  for  the  5VDC  regulator 
circuit  as  part  of  the  security  system. 

8.2.8  Qria,C^.ly_RankiaS 

» 

The  criticality  ranking  for  the  items  within  the  5VDC  regulator  circuitry  of  the 
security  system  is  presented  in  this  section.  The  criticality  ranking  can  be  displayed  in  a 
number  of  ways.  First,  die  criticality  matrix  is  used  to  plot  the  Failure  Mode  Criticality 
vs.  Severity  of  the  Failure  Effect  as  shown  in  Figure  25.  Figure  26  displays  an  item 
criticality  ranking  which  lists  the  unit's  critical  items  in  descending  order,  based  on  item 
criticality  (Cr).  Lastly,  Figure  27  shows  a  failure  mode  criticality  ranking  which  lists  the 
unit's  critical  failure  modes  in  descending  order,  based  on  failure  mode  criticality  (Cm). 
The  ranking  worksheets  are  not  required  by  MIL-STD-1629A  but  offer  insight  into 
critical  design  areas. 

8.2.9  Results  and  Recommendations 

The  results  of  the  criticality  analysis  indicate  that  the  items  requiring  re-design 
attention  are  ID  #s  021,  001,  027  and  002  which  correspond  to  components  CR10,  C15 
and  CR3,  since  failure  modes  in  each  of  these  devices  have  high  criticality  rankings  in 
the  Level  1  severity  class.  Both  the  "open"  and  "short"  modes  of  failure  for  CR3  will 
cause  catastrophic  failure  effects,  while  only  the  "short"  mode  for  CR10  and  C15  will 
cause  catastrophic  effects.  The  largest  contributing  factor  to  the  high  criticality  numbers 
of  these  devices  is  their  high  failure  rates  with  respect  to  the  other  devices  in  the 
regulator  circuit.  The  design  should  be  modified  to  incorporate  better  quality  diodes 
with  higher  forward  current  ratings  in  place  of  CR3  and  CR10  in  their  respective  circuit 
locations. 
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FIGURE  24:  MAINTAINABILITY  INFORMATION  (TASK  103) 
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Severity  Classification 


FIGURE  25:  FAILURE  MODE  CRITICALITY  MATRIX 
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9.0  SOFTWARE  TOOLS  FOR  FMECA 

Computer  software  used  to  perform  FMECA  is  commercially  available  from  several 
companies.  These  software  packages  are  designed  to  have  simple  user  interfaces  for 
data  input  routines  including  part  information,  failure  modes,  failure  rates,  failure 
effects,  etc.  These  programs  allow  the  user  to  build  a  database  that  represents  the 
hierarchical  structure  according  to  the  indenture  level  of  the  system  or  equipment  being 
analyzed.  The  computer  programs  are  used  primarily  for  database  functions  such  as 
sorting  and  reporting  since  a  FMECA  requires  significant  record  keeping.  In  addition, 
these  programs  are  useful  in  quantitative  FMECA  evaluations  by  performing  model 
failure  rate  calculations  for  each  part  failure  mode  and  criticality  number  computations. 
Output  reports  include  worksheets  from  the  traditional  formats  of  MIL-STD-1629.  A 
few  programs  also  provide  generation  of  criticality  matrices  and  allow  data  interchange 
between  programs  such  as  reliability  prediction,  maintainability  analysis  and  fault  tree 
analysis  software. 

Documents  are  available  which  provide  information  on  the  various  software  tools 
available  to  perform  a  FMECA.  The  Reliability  &  Maintainability  Software  Tools 
(RMST)  series,  available  from  the  Reliability  Analysis  Center,  provides  a  listing  of  the 
available  reliability,  maintainability  and  related  software  packages  including  FMECA, 
which  are  commerically  available  to  the  R&M  analyst.  In  most  instances,  these  products 
are  available  to  both  government  and  industry.  RMST  also  highlights  relevant  data  such 
as  cost,  point  of  contact,  access /limitations,  hardware/ software  requirements,  and 
capabilities. 

Future  FMECA  software  development  activity  must  focus  on  integration  between 
computer-aided-engineering  tools  and  expert  system  shells.  Schematic  capture  utilities 
capable  of  producing  parts  list  could  be  interfaced  to  a  knowledge-base  of  known 
component  inter-relationship  information  to  yield  a  logical  first  pass  draft  of  the 
FMECA  worksheets.  This  could  save  much  of  the  worksheet  prepartion  time  and  allow 
engineers  to  concentrate  additional  time  on  investigating  potential  failure  effects.  The 
initial  draft  could  then  be  updated  with  improved  data  and  passed  to  the  master 
knowledge-base  of  component  inter-relationships  for  use  in  future  FMECA  activity. 
Knowledge  bases  could  someday  be  shared  or  standardized  to  make  the  FMECA  a  less 
labor  intense  activity.  This  type  of  configuration  would  allow  most  any  design  engineer 
not  familiar  with  FMECA  construction  and  procedures  to  effectively  and  consistently 
perform  the  analysis. 
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10.0  ADDITIONAL  SOURCES/METHODS 

MIL-STD-1629  is  not  the  only  standard  published  which  provides  guidelines  and 
procedures  for  performing  a  FMECA.  Many  industries  have  developed  special 
methods  for  performing  FMECA  tailored  to  a  particular  type  of  system  or  process  (see 
Section  10.1).  The  automobile,  space  and  nuclear  energy  industries  have  developed 
specialized  methods  for  performing  FMECA  on  specific  types  of  equipments  and 
processes.  Many  papers,  articles,  methods  and  standards  have  been  written  on  the 
subject  of  FMECA.  Appendix  B  provides  a  list  of  additional  reading  on  some  of  these 
specialized  FMECA  techniques. 

10.1  Process  FMEA 

Process  FMEA  is  a  new  method  for  identifying  potential  or  known  processing  failure 
modes  and  providing  problem  follow-up  and  corrective  action  guidelines.  The  intent  of 
the  Process  FMEA  is  to  identify  and  correct  known  or  potential  failure  modes  that  can 
occur  during  the  product  development  process,  prior  to  the  first  production  run, 
particularly  as  a  result  of  the  system  or  product  manufacturing  and  assembly  processes. 
Once  failure  modes  and  causes  have  been  determined,  each  failure  mode  is  ranked 
similarly  to  the  methods  used  and  described  in  this  report.  The  Process  FMEA  has  the 
greatest  impact  in  the  early  stages  of  process  design,  before  any  machines,  tools  or 
facilities  are  purchased.  Each  process  variable  msut  be  identified,  analyzed  for  its 
potential  modes  of  failure  and  recorded  in  the  Process  FMEA.  Failure  modes  are 
determined  by  analysis  of  potential  process  flow  problems  that  can  occur  during  a 
production  run. 

The  probability  of  each  failure  mode  occurrence  is  ranked  on  a  "1"  to  "10"  scale  and 
listed  on  the  Process  FMEA  form.  Each  failure  mode  is  ranked  by  its  potential  order  of 
occurrence.  The  absolute  number  of  failure  occurrences  assigned  to  a  ranking  is  at  the 
discretion  of  the  analyst  but  must  be  consistent  throughout  the  analysis. 

The  severity  of  each  potential  failure  effect  is  also  ranked  on  a  scale  of  "1"  to  "10"  and 
recorded  on  the  Process  FMEA  form.  This  factor  represents  the  seriousness  of  failure 
consequence  to  the  end  user  after  the  failure  has  occurred. 
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A  defect  detection  factor  for  each  potential  failure  mode  is  recorded  on  the  Process 
FMEA  form.  This  factor  also  ranges  from  Ml"  to  ”10”  and  estimates  the  probability  of 
detecting  \  defect  before  a  part  or  component  leaves  the  manufacturing  or  assembly 
location. 

A  risk  priority  number  (RPN),  may  then  be  calculated  for  each  potential  failure 
mode.  This  number  if  calculated  by  multiplying  together  the  occurrence,  severity  and 
detection  ranking  factors  for  all  process  failure  modes.  Each  RPN  is  listed  on  the 
Process  FMEA  form. 

Failure  modes  with  the  highest  RPN's  and  occurrence  rankings  should  be  given 
priority  consideration  for  corrective  action  or  change  implementation.  Recommended 
corrective  actions  and  the  revised  rankings  of  such  actions  or  other  actions  taken,  are 
listed  on  the  Process  FMEA  form.  Figure  28  presents  a  sample  Process  FMEA 
Worksheet.  This  worksheet  and  the  description  of  its  field  contents  were  taken  from  the 
Quality  Alert  Institute's  Failure  Mode  and  Effects  Analysis  presentation  given  by  Dr. 
D.H.  Stamatis  to  the  Texas  Instruments  Semi-conductor  Group  in  Dallas,  TX,  September 
23, 1991. 

To  provide  a  uniform  development  of  potential  failure  mode  and  effects  analysis  for 
manufacturing  and  assembly  processes,  a  common  process  FMEA  form  must  be 
utilized.  This  section  provides  detailed  instructions  on  the  use  of  process  FMEA 
worksheets.  Circled  numbers  on  the  form  correspond  to  the  numbers  and  instructions 
that  follow. 

1.  Process 

Identify  the  process  operation  being  studied. 

2.  Primary  Process  Responsibility 

Enter  the  manufacturing  division  and  plant  that  has  prime 
responsibility  for  the  machine,  equipment  or  assembly  process. 

3.  Other  Division  or  Product  Engineering  Office  Involvement 

In  cases  where  more  than  one  Product  Engineering  Office  is  working 
on  the  design  program,  identify  each  office  involved.  Also,  indicate  other 
manufacturing  divisions  or  plants  involved. 
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FIGURE  28:  PROCESS  FMEA  WORKSHEET 
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4.  Outside  Suppliers  Affected 

Identify  outside  suppliers  involved  as  a  design  source  or  manufacturing 
source  of  a  major  component  within  the  subsystem. 

5.  Model  Year/Product(s) 

Enter  the  model  year  and  all  products  that  will  utilize  the  system, 
subsystem  or  component. 

6.  Scheduled  Production  Release 

Indicate  the  date  the  component,  subsystem  or  system  is  scheduled  for 
release.  If  the  subsystem  or  system  includes  several  components  with 
varied  release  dates,  show  the  last  date. 

7.  Engineer 

Show  the  name  and  the  phone  number  of  the  manf acturing  /  assembly 
process  engineer. 

8.  Section  Supervisor 

Show  the  name  and  phone  number  of  the  section  supervisor  and  intial 
when  approved. 

9.  FMEA  Date 

Show  the  date  of  the  first  FMEA  completed  and  the  product  and  the 
date  of  the  last  revision. 

10.  Part  Name/Part  Number 

Specify  the  name  of  items  being  analyzed.  Show  the  design  level  by 
suffixes  and  change  letters,  if  pertinent. 

1 1 .  Process  Function 

Indicate,  as  concisely  as  possible,  the  function  of  the  process  or 
component  being  analyzed. 


Reliability  Analysis  Center  (RAC)  •  201  Mill  Street  •  Rome,  NY  13440-6916  •  (315)  337-0900 


CRTA-FMECA 


99 


12.  Potential  Failure  Mode 

Describe  each  possible  failure  mode.  The  assumption  is  made  that  the 
failure  could  occur,  but  will  not  necessarily  occur.  The  process 
engineer  should  be  able  to  answer  the  questions  "What  could  possibly 
go  wrong  with  the  process?"  and  "How  can  the  part  fail  to  meet 
specifications?" 

13.  Potential  Effect(s)  of  Failure 

Assuming  the  failure  has  occurred,  describe  what  the  customer  might 
notice  or  experience:  "What  will  result  from  the  failure  mode 
identified?"  The  description  must  be  as  specific  as  possible. 

14.  Control  Items  (v) 

Indicate  all  Control  Item  Characteristics  (v)  with  the  appropriate 
symbol. 

15.  Potential  Cause(s)  of  Failure 

List  all  potential  causes  assignable  to  each  failure  mode.  Answer  the 
question,  "What  processing  variables  could  result  in  the  potential 
failure  mode?"  Be  sure  the  list  is  inclusive  so  that  remedial  efforts  will 
be  aimed  at  all  variables. 

16.  Current  Controls 

List  all  current  process  variable  controls  which  are  intended  to  prevent 
the  causefs)  of  failure  from  occurring,  or  are  intended  to  detect  the 
causefs)  of  failrue  or  the  resultant  failure  mode. 

17.  Occurrence 

Estimate  the  probability  of  occurrence  on  a  "1"  to  "10”  scale  as  defined 
below.  Only  controls  intended  to  prevent  the  cause  of  failure  from 
occurring  should  be  considered  in  this  estimate.  When  estimating  the 
Occurrence  Ranking,  consider  the  probability  that  the  potential  cause  of 
failure  will  occur  and  thus  result  in  the  indicated  potential  failure 
mode.  For  this  estimate,  assume  that  the  cause  of  failure  and  failure 
modes  are  not  detected  before  the  product  reaches  the  customer. 
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18.  Severity 

Estimate  the  severity  of  the  "effects  of  failure"  to  the  customer  on  a  "1" 
to  "10"  scale.  Severity  is  the  factor  that  represents  the  seriousness  of 
the  failure  to  the  customer  after  it  has  occurred. 

19.  Detection 

Using  a  "1"  to  "10"  scale,  estimate  the  probability  of  detecting  a  defect 
before  the  part  or  component  leaves  the  manufacturing  or  assembly 
location.  Assume  the  cause  of  failure  has  happened  and  assess  the 
capabilities  of  all  current  controls  to  prevent  shipment  of  the  defect. 
Random  quality  control  checks  would  unlikely  detect  an  isolated  defect 
and  therefore  would  not  result  in  a  noticeable  detection  ranking  change. 
However,  sampling  done  on  a  statistical  basis  is  a  valid  detection  control. 

20.  Risk  Priority  Number  (RPN) 

Calculate  the  RPN  by  multiplying  together  the  Occurrence  (17),  Severity 
(18),  and  Detection  (19)  for  all  causes  of  failure.  The  highest  RPN's  and 
Occurrence  Rankings  should  be  given  the  first  consideration  for  corrective 
actions  and  statistical  process  control  charting. 

21.  Recommended  Action(s)  and  Status 

The  need  for  taking  positive  corrective  actions  with  quantifiable  benefits 
cannot  be  overemphasized.  A  well  developed  process  FMEA  will  be  of 
limited  value  without  effective  corrective  actions  and  follow-up. 
Corrective  actions  are  generally  either  design  or  process. 

22.  Action(s)  Taken 

Enter  the  status  of  the  recommended  corrective  action  -  Product  Change 
Request  (PCR)  numbers,  transmittal  numbers,  promise  dates  or  closed 
dates  under  the  description  of  the  corrective  action.  Once  the  corrective 
action  has  been  completed,  the  data  in  the  columns  under  Resulting 
Rankings  (23)  will  be  revised  for  the  affected  cause  of  failure.  At  that  time, 
the  Revision  Level  (9)  will  also  be  updated. 
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23.  Resulting  Rankings 

Enter  the  Revised  Rankings  after  corrective  action  is  completed. 
Recalculate  the  RPN. 

24.  Responsible  Activity 

Enter  the  responsible  activity  and/or  individual  for  the  action 
recommended. 
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NORMALIZED  FAILURE  MODE  DISTRIBUTIONS  FOR  FMECA,  FMD-91 


Device  Type 

Failure  Mode 

Failure  Mode 
Probability  (a) 

Accumulator 

Leaking 

.47 

Seized 

.23 

Worn 

.20 

Contaminated 

.10 

Actuator 

Spurious  Position  Change 

36 

Binding 

.27 

Leaking 

.22 

Seized 

.15 

Adapter 

Physical  Damage 

33 

Out  of  Adjustment 

33 

Leaking 

33 

Alarm 

False  Indication 

.48 

Failure  to  Operate  on  Demand 

.29 

Spurious  Operation 

.18 

Degraded  Alarm 

.05 

Antenna 

No  Transmission 

54 

Signal  Leakage 

.21 

Spurious  Transmission 

.25 

Battery,  Lithium 

Degraded  Output 

.78 

Startup  Delay 

.14 

Short 

.06 

Open 

.02 

Battery,  Lead  Acid 

Degraded  Output 

.70 

Short 

.20 

Intermittent  Output 

.10 

Battery,  Rechargeable,  Ni-Cd 

Degraded  Output 

.72 

No  Output 

.28 

Bearing 

Binding/Sticking 

.50 

Excessive  Play 

.43 

Contaminated 

.07 

Belt 

Excessive  Wear 

.75 

Broken 

.25 

Blower  Assembly 

Bearing  Failure 

.45 

Sensor  Failure 

.16 

Blade  Erosion 

.15 

Out  of  Balance 

.10 

Short  Circuit 

.07 

Switch  Failure 

.07 

Brake 

Excessive  Wear 

56 

Leaking 

.23 

Scored 

.11 

Corroded 

.05 

Loose 

.05 

Bushing 

Excessive  Wear 

.85 

Loose 

.11 

Cracked 

.04 
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NORMALIZED  FAILURE  MODE  DISTRIBUTIONS  FOR  FMECA,  FMD-91  (CONTD) 


Device  Type 


Capacitor,  Aluminum, 
Electrolytic,  Foil 


Capacitor,  Ceramic 


Capacitor,  Mica/Glass 


Capacitor,  Paper 


Capacitor,  Plastic 


Capacitor,  Tantalum 


Capacitor,  Tantalum, 
Electrolytic 


Capacitor,  Variable,  Piston 


Chopper 


Circuit  Breaker 


Computer  System 


Connector/Connection 


Controller,  Electromechanical 


Failure  Mode 


Short 

Excessive  Wear 
Open 


Short 

Open 

Electrolyte  Leak 
Decrease  in  Capacitance 


Short 

Change  in  Value 
Open 


Short 

Change  in  Value 


Open 

Short 

Change  in  Value 


Short 

Open 

Change  in  Value 


Short 

Open 

Change  in  Value 


Contact  Failure 

Short 

Open 

Coil  Failure 


Binding/Sticking 

Slippage 

No  Movement 


Short 

Open 

Change  in  Value 


Hardware  Failure 
Software  Failure 


Open 

Poor  Contact/ Intermittent 
Short 


Erroneous  Output 
Loss  of  Control 
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NORMALIZED  FAILURE  MODE  DISTRIBUTIONS  FOR  FMECA,  FMD-91  (CONTD) 


Device  Type 


Counter  Assembly 


Crystal,  Quartz 


Diode,  General 


Diode,  Rectifier 


Diode,  SCR 


Diode,  Small  Signal 


Diode,  Thyristor 


Diode,  Triac 


Diode,  Zener,  Voltage 
Reference 


Diode,  Zener,  Voltage 
Regulator 


Electric  Motor,  AC 


Fitting 


Gasket/Seal 


Gear 


Generator 


Failure  Mode 


Inaccurate  Count 
Seized 


Open 

No  Oscillation 


Parameter  Change 

Open 

Short 


Failed  Off 
Short 
Open 
Failed  On 


Failed  Off 
Failed  On 


Parameter  Change 

Open 

Short 


Open 

Parameter  Change 
Short 


Winding  Failure 
Bearing  Failure 
Fails  to  Run,  After  Start 
Fails  to  Start 


Leaking 

Contaminated 

Scored 


Leakin 


Excessive  Wear 
Binding /Stickin 


Degraded  Output 
No  Output 

Fails  to  Run,  After  Start 
Loss  of  Control 
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NORMALIZED  FAILURE  MODE  DISTRIBUTIONS  FOR  FMECA,  FMD-91  (CONTD) 


Device  Type 


Hybrid  Device 


Injector 


Inner  Tube 


Keyboard  Assembly 


Lamp/Light 


Liquid  Crystal  Display 


Mechanical  Filter 


Microcircuit,  Digital,  Bipolar 


Microcircuit,  Digital,  MOS 


Microcircuit,  Interface 


Microcircuit,  Linear 


Microcircuit,  Memory, 
Bipolar 


Microcircuit,  Memory,  MOS 


Microwave  Amplifier 


Microwave  Antenna 


Failure  Mode 


Open  Circuit 
Degraded  Output 
Short  Circuit 


Corroded 
Deformed 
Cracked  /Fractured 


Leakin 


Spring  Failure 
Contact  Failure 
Connection  Failure 
Lock-u 


No  Illumination 
Loss  of  Illumination 


Dim  Rows 
Blank  Display 
Flickering  Rows 
Missing  Elements 


Leaking 

Clogged 


Faulty  Indication 
Unable  to  Adjust 
Open 

No  Indication 


Output  Stuck  High 
Output  Stuck  Low 
Input  Open 


ILtkHJiZLiL: 


Input  Open 
Output  Open 
Supply  Open 
Output  Stuck  Low 
Output  Stuck  Hi; 


Output  Stuck  Low 
Output  Open 
Input  Open 


Improper  Output 
No  Output 


Slow  Transfer  of  Data 
Data  Bit  Loss 


Data  Bit  Loss 

Short 

Open 

Slow  Transfer  of  Data 


No  Output 
Limited  Voltage  Gain 


No  Transmission 
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NORMALIZED  FAILURE  MODE  DISTRIBUTIONS  FOR  FMECA,  FMD-91  (CONTD) 


Device  Type 


Microwave  Attenuator 


Microwave  Connector 


Microwave  Detector 


Microwave,  Diode 


Microwave  Filter 


Microwave  Mixer 


Microwave  Modulator 


Microwave  Oscillator 


Microwave  VCO 


Microwave  YIG 


Microwave  Phase  Shifter 


Microwave  Polarizer 


Optoelectronic  LED 


Optoelectronic  Sensor 


Pneumatic  Actuator 


Power  Supply 


Printed  Winng  Assembly 


Pump,  Centrifugal 


Pump,  Hydraulic 


Regulator 


Failure  Mode 


Attenuation  Increase 
Insertion  Loss 


High  Insertion  Loss 


Open 

Parameter  Change 
Short 


Power  Decrease 
Loss  of  Intermediate 


3  iX«  i*  rvi 


No  Output 
Untuned  Frequency 
Reduced  Power 


No  Output 
Untuned  Frequency 
Reduced  Power 


No  Output 
Untuned  Frequency 
Reduced  Power 


Incorrect  Output 


Change  in  Polarization 


Open 

Short 


Short 


Spurious  Closing 


I K  »ili  *[»1! 0  li?- 


No  Output 
Incorrect  Output 


Open 

Short 


No  Output 

aded  Output 


Leaking 
Improper  Flow 
No  Flow 


Stuck  Closed 
Stuck  Open 
No  Output 
Leaking 

Insufficient  Output 
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NORMALIZED  FAILURE  MODE  DISTRIBUTIONS  FOR  FMECA,  FMD-91  (CONTD) 


Device  Type 


Relay 


Resistor,  Composition 


Resistor,  Fixed 


Resistor,  Fixed,  Film 


Resistor,  Fixed,  Wirewound 


Resistor,  Network 


Resistor,  Thermistor 


Resistor,  Variable 


Rotary  Switch 


Screw 


Solenoid 


Switch,  Push-button 


Switch,  Thermal 


Failure  Mode 


Fails  to  Trip 
Spurious  Trip 
Short 


Parameter  Change 

Open 

Short 


Open 

Parameter  Change 
Short 


Open 

Parameter  Change 
Short 


Open 

Parameter  Change 
Short 


Open 

Short 


Open 

Parameter  Change 
Short 


Open 

Erratic  Output 
Short 


Improper  Output 
Contact  Failure 


Loose 

Excessive  Wear 


Erratic  Output 
Short 
Open 
No  Output 


Design  Changes 
Design  Errors 
User  Error 

Documentation  Error 


Open 

Sticking 

Short 


Parameter  Change 
Open 
No  Control 
Short 
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NORMALIZED  FAILURE  MODE  DISTRIBUTIONS  FOR  FMECA,  FMD-91  (CONTD) 


Device  Type 


Switch,  Toggle 


Synchro 


Transducer,  Sensor 


Transformer 


Transistor,  Bipolar 


Transistor,  FET 


Transistor,  GaAs  FET 


Transistor,  R.F. 


Tube,  Electron 


Tube,  Traveling  Wave 


Valve,  Hydraulic 


Valve,  Pneumatic 


Valve,  Relief 


Failure  Mode 


Open 

Sticking 

Short 


Winding  Failure 
Bearing  Failure 
Brush  Failure 


Leaking 
Excessive  Wear 


Out  of  Tolerance 
False  Response 
Open 
Short 


Short 

Output  Low 
Parameter  Change 
Open 
Output  Hi 


Open 
Short 
Parameter 


Parameter  Change 

Short 

Open 


Change  in  Parameter 
Open 

Unstable  Output 
Short 


Reduced  Output  Power 
High  Helix  Current 
Gun  Failure 
Helix 


Leaking 
Stuck  Gosed 
Stuck 


Leaking 
Stuck  Open 
Stuck  Gosed 
Spurious  Opening 
Spurious  Gosine 


Premature  Open 
Lea  kin 
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